Re: postgresql configuration and set-up
On Wed, Mar 17, 2004 at 08:43:16AM -0500, Tom Allison wrote:
Tom, I'm new to this so can I ask for some clarification?
> login_usernames are associated with database usernames. Means access to
> one means greater access to do damage. Security issue.
You mean if user A creates a database then user B can access it
automatically?
If you want to give users their own database won't this help?
# Type Database User Type
local sameuser all ident sameuser
That limits access to their own database. Then for web access use
a host entry and suexec (for cgi at least) so cgi apps will ident to
that user.
> required ident which is not installed with postgresql and should be
> considered a bug.
IIRC You don't need to run ident for local access and still use "ident"
type of access. Seems like a good default for new people using
postgresql on the same machine.
> Ident is also an open text password process and
> should be avoided. Security issue and a Bug.
How is Ident a password issue? It just says what user is connected to a
socket.
> It's far easier to manage and far saner to manage if you just added some
> lines to pg_hba.conf to the effect of:
>
> local all postgres trust
Doesn't that say that anyone can connect as postgres? and therefore to
any database?
> local all all md5 (or trust or password)
> host all all 127.0.0.0/8 md5
> host all all 192.168.0.0/24 md5 ( I have an internal LAN )
So all that mean that anyone with a postgres username and password can
connect to any database, right?
> >I wonder if there's an easier way than having to GRANT every
> >object -- like a global grant.
>
>
> IIRC there is but you and I both have to RTFM a bit.
> I saw your name on the pgsql-novice list! ;)
I have -- a few times -- but still seems like I'm doing it the hard way.
No response on the NOVICE list -- I thought it was a novice question --
perhaps the pg-general list might be more responsive.
--
Bill Moseley
moseley@hank.org
Reply to: