Re: trust auth in 7.4 - Mailing list pgsql-general
| From | Bruce Momjian |
|---|---|
| Subject | Re: trust auth in 7.4 |
| Date | |
| Msg-id | 200401260534.i0Q5YwS01643@candle.pha.pa.us Whole thread Raw |
| In response to | Re: trust auth in 7.4 (Bruno Wolff III <bruno@wolff.to>) |
| List | pgsql-general |
Bruno Wolff III wrote: > On Thu, Jan 22, 2004 at 15:33:05 +0100, > Henk van Lingen <henkvl@cs.uu.nl> wrote: > > Hi, > > > > docs say (19.2.1): > > > > When trust authentication is specified, PostgreSQL assumes that anyone who > > can connect to the server is authorized to access the database as whatever > > database user he specifies (including the database superuser). This method > > should only be used when there is adequate operating system-level > > protection on connections to the server. > > > > but nowadays one can specify users in pg_hba.conf, and 19.1 says: > > > > user > > > > Specifies which PostgreSQL users this record matches. The value all > > specifies that it matches all users. Otherwise, this is the name of a > > specific PostgreSQL user. Multiple user names can be supplied by > > separating them with commas. Group names can be specified by preceding > > the group name with +. A file containing user names can be specified by > > preceding the file name with @. The file must be in the same directory > > as pg_hba.conf. > > > > Which of these is right? I hope the last also holds for 'trust' lines? > > Both. The second part says that in pg_hba.conf you can say which postgres > users can connect to which databases. The first part says that trust > authentication says that postgres will allow you to be whatever user you > want without having to prove it in any way. This patch clarifies that the user column still applies for 'trust'. -- Bruce Momjian | http://candle.pha.pa.us pgman@candle.pha.pa.us | (610) 359-1001 + If your life is a hard drive, | 13 Roberts Road + Christ can be your backup. | Newtown Square, Pennsylvania 19073 Index: doc/src/sgml/client-auth.sgml =================================================================== RCS file: /cvsroot/pgsql-server/doc/src/sgml/client-auth.sgml,v retrieving revision 1.62 diff -c -c -r1.62 client-auth.sgml *** doc/src/sgml/client-auth.sgml 13 Dec 2003 23:59:06 -0000 1.62 --- doc/src/sgml/client-auth.sgml 26 Jan 2004 05:33:29 -0000 *************** *** 535,542 **** <para> When <literal>trust</> authentication is specified, <productname>PostgreSQL</productname> assumes that anyone who can ! connect to the server is authorized to access the database as ! whatever database user he specifies (including the database superuser). This method should only be used when there is adequate operating system-level protection on connections to the server. </para> --- 535,543 ---- <para> When <literal>trust</> authentication is specified, <productname>PostgreSQL</productname> assumes that anyone who can ! connect to the server is authorized to access the database with ! whatever database user they specify (including the database superuser). ! Of course, restrictions placed in the <literal>user</> column still apply. This method should only be used when there is adequate operating system-level protection on connections to the server. </para>
pgsql-general by date: