Re: The pg_hba.conf file - Mailing list pgsql-novice
| From | |
|---|---|
| Subject | Re: The pg_hba.conf file |
| Date | |
| Msg-id | Pine.A41.3.95.1021219075326.17270C-100000@fn2.freenet.edmonton.ab.ca Whole thread Raw |
| In response to | Re: The pg_hba.conf file (Bruno Wolff III <bruno@wolff.to>) |
| Responses |
Re: The pg_hba.conf file
|
| List | pgsql-novice |
On Thu, 19 Dec 2002, Bruno Wolff III wrote: > On Wed, Dec 18, 2002 at 22:38:59 -0700, > ghaverla@freenet.edmonton.ab.ca wrote: > > > > 2 -------------------------------- [ ... ] > > which apparently can be configured to lie. Which leads me to ask > > the question, is ident trustworthy for local connections? Certainly > > Yes. If you can't trust the local machine, then you shouldn't be running > your postgres server on it. Note that ident for "local" (this doesn't > include connections to 127.0.0.1) connections does not depend on an ident > server. Since I admin the local machine, I guess I can trust myself. But I was looking to see that identity for the "local" connection has nothing to do with any ident daemon I may be running (or not running, which is what I would prefer). > > 3.1 --------------------------------------------- > > In the above local ... example, I suspect having "ident sameuser" > > as the authentication allowing access to the database "sameuser" > > restricts completely, but the "all" wildcard for the user seems out > > of place. Something like: > > local sameuser sameuser ident sameuser > > seems to better describe the situation, that I only want these > > connections by UNIX UIDs to databases with the same name as > > the UNIX UID. > > The 'all' in the users field indicates that all users can use the > database matching their username. If you only want some users to > be able to do this you can use a list or group there. Having > 'sameuser' there wouldn't make much sense since the supplied user name is > also the same as the supplied user name. It never occured to me, that you would only want to put a subset of names in the USER field. I agree that having "sameuser" isn't very clear, but then I didn't think "all" was completely clear either. "All" seems to mean different things in different contexts. > > It's not unusual to see sample pg_hba.conf files, which have > > a > > host all all 0.0.0.0 0.0.0.0 reject > > line at the end. Should a person have similar lines for hostssl > > and local connections? I.e.: > > Well the default will be to reject connections, so they aren't really needed > except to prevent accidents. However 'host' will match 'hostssl' connections > (but not vice versa), so you don't need hostssl in addition to host if you > do that. 'local' connections are different and need a separate entry. I just like to be in the habit of having an explicit "Default" for any "switches" I have in code. Having an explicit reject for local seemed to be a good thing to add. But, thanks for the clairification. Gord -- Matter Realisations http://www.materialisations.com/ Gordon Haverland, B.Sc. M.Eng. President 101 9504 182 St. NW Edmonton, AB, CA T5T 3A7 780/481-8019 ghaverla @ freenet.edmonton.ab.ca 780/993-1274 (alt.)
pgsql-novice by date: