Re: postgresql configuration and set-up
BillMoseley@hank.org wrote:
As glenn posted, it seems like you need to setup the
/etc/postresql/pg_hba.conf file.
Oliver, I CC'ed you on this because I don't have a formal bugreport
utility working yet and thought it would helpful if you read this.
What I ended up doing was throwing out the pg_hba.conf file as supplied
by Debian. I personally don't like the implimentation for a variety of
reasons:
login_usernames are associated with database usernames. Means access to
one means greater access to do damage. Security issue.
required ident which is not installed with postgresql and should be
considered a bug. Ident is also an open text password process and
should be avoided. Security issue and a Bug.
It's far easier to manage and far saner to manage if you just added some
lines to pg_hba.conf to the effect of:
local all postgres trust
local all all md5 (or trust or password)
host all all 127.0.0.0/8 md5
host all all 192.168.0.0/24 md5 ( I have an internal LAN )
host all all 0.0.0.0 0.0.0.0 reject
This puts the onus of security access to postgresql on postgresql and
requires a certain level of security by default on everything.
The subnet 192.168.1.0/24 could be built up from a script to query
ifconfig at package installation time if required. Otherwise skip it.
I'm kind of surprised at the change. It's been years since I looked at
postgresql in Debian and IIRC it wasn't like this. I don't know the
history behind it. But I picked up Debian (again) because IMHO it's
just a better distro, especially for servers, than anything else I've
ever seen.
I would send a bugreport, but my email isn't working on that machine yet.
<chop chop chop Thanks for reading this far Oliver>
Now, that authenticates to use the database. But, the issue
I've been wondering about is this:
I create tables as one user then I want another user to use
those tables (like the web server). Then I need to GRANT
access to every object in the database to that other user.
I wonder if there's an easier way than having to GRANT every
object -- like a global grant.
IIRC there is but you and I both have to RTFM a bit.
I saw your name on the pgsql-novice list! ;)
Reply to: