Re: postgresql configuration and set-up

To: BillMoseley@hank.org
Cc: debian-user@lists.debian.org, Oliver.Elphick@lfix.co.uk
Subject: Re: postgresql configuration and set-up
From: Tom Allison <tallison@tacocat.net>
Date: Wed, 17 Mar 2004 08:43:16 -0500
Message-id: <[🔎] 405855F4.6020003@tacocat.net>
In-reply-to: <[🔎] 20040317070503.GA1318@hank.org>
References: <[🔎] 4057B843.9040805@tacocat.net> <[🔎] 20040317070503.GA1318@hank.org>

BillMoseley@hank.org wrote:

As glenn posted, it seems like you need to setup the
/etc/postresql/pg_hba.conf file.

Oliver, I CC'ed you on this because I don't have a formal bugreportutility working yet and thought it would helpful if you read this.

What I ended up doing was throwing out the pg_hba.conf file as suppliedby Debian. I personally don't like the implimentation for a variety ofreasons:

login_usernames are associated with database usernames. Means access toone means greater access to do damage. Security issue.

required ident which is not installed with postgresql and should beconsidered a bug. Ident is also an open text password process andshould be avoided. Security issue and a Bug.

It's far easier to manage and far saner to manage if you just added somelines to pg_hba.conf to the effect of:


local  all  postgres                 trust
local  all  all                      md5 (or trust or password)
host   all  all       127.0.0.0/8    md5
host   all  all     192.168.0.0/24   md5  ( I have an internal LAN )
host   all  all  0.0.0.0  0.0.0.0    reject

This puts the onus of security access to postgresql on postgresql andrequires a certain level of security by default on everything.The subnet 192.168.1.0/24 could be built up from a script to queryifconfig at package installation time if required. Otherwise skip it.

I'm kind of surprised at the change. It's been years since I looked atpostgresql in Debian and IIRC it wasn't like this. I don't know thehistory behind it. But I picked up Debian (again) because IMHO it'sjust a better distro, especially for servers, than anything else I'veever seen.


I would send a bugreport, but my email isn't working on that machine yet.



<chop chop chop  Thanks for reading this far Oliver>

Now, that authenticates to use the database.  But, the issue
I've been wondering about is this:

I create tables as one user then I want another user to use
those tables (like the web server).  Then I need to GRANT
access to every object in the database to that other user.

I wonder if there's an easier way than having to GRANT every
object -- like a global grant.



IIRC there is but you and I both have to RTFM a bit.
I saw your name on the pgsql-novice list!  ;)

Reply to:

Follow-Ups:
- Re: postgresql configuration and set-up
  - From: Bill Moseley <moseley@hank.org>
- Re: postgresql configuration and set-up
  - From: Oliver Elphick <olly@lfix.co.uk>
- Re: postgresql configuration and set-up
  - From: Oliver Elphick <olly@lfix.co.uk>

References:
- postgresql configuration and set-up
  - From: Tom Allison <tallison@tacocat.net>
- Re: postgresql configuration and set-up
  - From: BillMoseley@hank.org

Prev by Date: Re: Is Grub going to be official Sarge boot loader?
Next by Date: Re: usb storage devices
Previous by thread: Re: postgresql configuration and set-up
Next by thread: Re: postgresql configuration and set-up
Index(es):
- Date
- Thread