On Tue, Jan 25, 2005 at 10:38:37AM +0100, Martin Pitt wrote:
> There are two common ways to achieve that:
>
> - Connect as "www-data". For this you need an appropriate PostgreSQL
> user ("createuser www-data" as user postgres). Then you either make
> www-data the owner of the database ("createdb -O www-data mydb") or
> you set the owner to some application-specific PostgreSQL user and
> only GRANT the necessary permissions to www-data (usually you need
> table creation etc. only for package installation and can restrict
> www-data permissions to SELECT/UPDATE).
if i'm understanding correctly, a security drawback of both these
methods is that any web application would effectively have r/w privileges
to every web app's database, right?
> This solution has the advantage that you don't need to modify
> pg_hba.conf (since you can use "ident sameuser" authentication).
which is certainly not to be overlooked. i think maybe a disclaimer
like "if you run multiple applications, this may present a security
risk" might be in order, but it should definitely be an option.
> - Connect as $dbc_dbuser and use "password" authentication. ident
> makes not much sense since the database user has not necessarily
> a system user counterpart (if it has, then this would of course
> work). But if it hasn't, you need a pg_hba.conf entry.
thanks for the clarification on all this. i'm also now spending some
time reading the fine manual (online postgres docs) about
identification/authentication, which will help clarify things a bit.
> I'm open to suggestions about making modifications to pg_hba.conf
> unnecessary in the common case. (I still need some time to read this
what would be helpful here is to hear from a larger number of
debian/postgres admins about how they have things set up, to get
an idea what the most common setups actually are.
also, it looks like pg_hba.conf and pg_ident.conf both have some
kind of @include functionality, which might make messing with either
of the files moot. i'll have to look more into these details...
> unnecessary in the common case. (I still need some time to read this
> thread about the common database infrastructure *sigh*).
you can get the highlights on my p.d.o page :)
sean
--
Attachment:
signature.asc
Description: Digital signature