> > Since you can write extensions to PostgreSQL that reach far into the OS,
> > it does make sense to execute those extensions under a "non priviledged"
> > user, and not postgres.
>
> Agreed.
>
> > This OS user would somehow be tied to the username that the client
> > passes as his credentials (and that we trust to be authenticated).
>
> Not agreed. It's a feature, not an accident, that client user names,
> server OS user names, and database user names are independent. The mapping
> of database user names to server OS user names needs to have a separate
> mapping
Yes, a mapping is useful (as I said).
> and authentication system, which could probably be similar to the
> existing client authentication, but still separate.
I do not think that a separate authentication is necessary, it might be a
feature,
but imho the standard would be a trusted mapping from db to OS user.
Remember that execution rights are granted to db users for functions.
If a user does not have a desirable mapping you don't grant him any rights.
A special flag "suid" for functions would imply that the function always
runs under
the same OS user of the function owner, regardless of client credentials.
Andreas
