Re: initdb recommendations - Mailing list pgsql-hackers

From Tom Lane
Subject Re: initdb recommendations
Date
Msg-id 6528.1563999514@sss.pgh.pa.us
Whole thread Raw
In response to Re: initdb recommendations  (Peter Eisentraut <peter.eisentraut@2ndquadrant.com>)
Responses Re: initdb recommendations
List pgsql-hackers
Peter Eisentraut <peter.eisentraut@2ndquadrant.com> writes:
> If I'm logged in as the OS user that owns the data directory, I should
> be able to log in to the database system via local socket as any user.
> Because why stop me?  I can just change pg_hba.conf to let me in.

Hmm ... there's probably some minor loss of safety there, but not
much, as you say.

> I think we could just define that if geteuid == getpeereid, then
> authentication succeeds.  Possibly make that a setting if someone wants
> to turn it off.

We would still need to make the proposed buildfarm changes, though,
because Windows.  (And HPUX, though if it were the only holdout
maybe we could consider blowing it off.)

I'm not that excited about weakening our authentication rules
just to make things easier for the buildfarm.

It's possible that what you suggest is a good idea anyway to reduce
the user impact of switching from trust to peer as default auth.
However, I'm a little worried that we'll start getting a lot of "it
works in psql but I can't connect via JDBC-or-whatever" complaints.
So I dunno if it will really make things easier for users.

            regards, tom lane



pgsql-hackers by date:

Previous
From: Peter Eisentraut
Date:
Subject: Re: initdb recommendations
Next
From: Peter Eisentraut
Date:
Subject: Re: Support for jsonpath .datetime() method