> Bruce Momjian <pgman@candle.pha.pa.us> writes:
> > Well, the problem with backward compatibility here is that now we have
> > pg_hba.conf to configure some part of local authentication and
> > postgresql.conf to configure the other part.
>
> Seems a pretty empty argument. pg_ident.conf also (now) bears on local
> authentication, as does any random secondary-password file the user
> might select. Shall we find a way to smush all that into pg_hba.conf?
>
> > Aren't the socket permissions best dealt with in pg_hba.conf?
>
> Maybe if we were designing the whole thing from scratch, it'd be cleaner
> to do it that way ... but it doesn't seem enough cleaner to justify
> creating a compatibility issue.
How many people really use unix socket permissions in postgresql.conf?
Probably very few. We could announce when it goes away, and even throw
an error if it appears in postgresql.conf. Seems that would clear it up
and make the feature much more usable.
Security is very easy to mess up. That's why I think clarity is
important. If we are going to change the default socket permissions to
700, that clearly would be a good time to make the change, no?
-- Bruce Momjian | http://candle.pha.pa.us pgman@candle.pha.pa.us | (610)
853-3000+ If your life is a hard drive, | 830 Blythe Avenue + Christ can be your backup. | Drexel Hill,
Pennsylvania19026
