"C. Bensend" <benny@bennyvision.com> writes:
> I don't see any real way to keep users from connecting
> to their own databases via psql, and then using "\c <otherdb>"
> to connect to someone else's database.
Huh? \c is checked exactly as tightly as a fresh connection --- it
*is* a fresh connection, as far as the server is concerned.
> IS there a way to limit a user's ability to connect
> to only THEIR database?
See "sameuser" option in pg_hba.conf.
> hostssl bobsdb a.b.c.d 255.255.255.255 crypt
> This works fine, asks for a password, connects the user, and
> then they can "\c otherdb" without any problem.
The above line does not allow connections to ANY database other than
bobsdb. If anyone can connect to anything else at all, it's because
you have additional pg_hba lines that you're not showing us.
> hostssl bobsdb a.b.c.d 255.255.255.255 ident sameuser
"sameuser" in the database column (column 2) was what I was talking
about. "sameuser" as an ident argument is a different concept
altogether.
regards, tom lane