Bruce Momjian <pgman@candle.pha.pa.us> writes:
> Tom Lane wrote:
> Socket permissions - only install user can access db by default
>>
>> I do not agree with this goal.
> OK, this is TODO item:
> * Make single-user local access permissions the default by limiting
> permissions on the socket file (Peter E)
Yes, I know what the TODO item says, and I disagree with it.
If we make the default permissions 700, then it's impossible to access
the database unless you run as the database owner. This is not a
security improvement --- it's more like claiming that a Linux system
would be more secure if you got rid of ordinary users and did all your
work as root. We should *not* encourage people to operate that way.
(It's certainly unworkable for RPM distributions anyway; only a user
who is hand-building a test installation under his own account would
possibly think that this is a useful default.)
I could see a default setup that made the permissions 770, allowing
access to anyone in the postgres group; that would at least bear some
slight resemblance to a workable production setup. However, this
assumes that the DBA has root privileges, else he'll not be able to
add/remove users from the postgres group. Also, on systems where users
all belong to the same "users" group, 770 isn't really better than 777.
The bottom line here is that there isn't any default protection setup
that is really widely useful. Everyone's got to adjust the thing to
fit their own circumstances. I'd rather see us spend more documentation
effort on pointing this out and explaining the alternatives, and not
think that we can solve the problem by making the default installation
so tight as to be useless.
regards, tom lane
