Re: Using both ident and password in pg_hba.conf - Mailing list pgsql-general

From D'Arcy J.M. Cain
Subject Re: Using both ident and password in pg_hba.conf
Date
Msg-id 20160509161839.37c3d9d0@imp
Whole thread Raw
In response to Re: Using both ident and password in pg_hba.conf  (Adrian Klaver <adrian.klaver@aklaver.com>)
Responses Re: Using both ident and password in pg_hba.conf  (John R Pierce <pierce@hogranch.com>)
Re: Using both ident and password in pg_hba.conf  (Adrian Klaver <adrian.klaver@aklaver.com>)
Re: Using both ident and password in pg_hba.conf  ("Peter J. Holzer" <hjp-pgsql@hjp.at>)
List pgsql-general
On Mon, 9 May 2016 13:02:53 -0700
Adrian Klaver <adrian.klaver@aklaver.com> wrote:
> So define PHP runs as 'nobody'?

Because of the way PHP and Apache works PHP script have to run as the
Apache user which, in my case anyway, is "nobody" so every PHP script
runs as nobody.  Meanwhile non-PHP scripts run as the user who owns the
site.

> Is that the script's user permissions?

Sometimes.  The user has the choice to have everything owned by nobody
(which requires that they contact us for changes) or else as themself
but with world readable permissions on the files so that nobody can
serve them.

> Or is that the database user the script is connecting as?

Yes.

> Is 'nobody' defined as a database user?

Yes but each user has their own database with their own user and
password.  When they run PHP scripts they connect as nobody but they
attempt to login as themself.

Basically I think that pg_hba.conf is missing a feature.  We can
specify the database, the user and the address but we can't specify the
authenticated user.  When it sees this;

provided user name (x) and authenticated user name (nobody) do not match

I would like it to connect with user x but drop to password
authentication.

--
D'Arcy J.M. Cain <darcy@druid.net>         |  Democracy is three wolves
http://www.druid.net/darcy/                |  and a sheep voting on
+1 416 788 2246     (DoD#0082)    (eNTP)   |  what's for dinner.
IM: darcy@Vex.Net, VoIP: sip:darcy@druid.net


pgsql-general by date:

Previous
From: Adrian Klaver
Date:
Subject: Re: Using both ident and password in pg_hba.conf
Next
From: John R Pierce
Date:
Subject: Re: Using both ident and password in pg_hba.conf