Re: Restricting user -> database access. - Mailing list pgsql-admin

From C. Bensend
Subject Re: Restricting user -> database access.
Date
Msg-id Pine.BSO.4.33L2.0108212233390.51-100000@fusion.bennyvision.com
Whole thread Raw
In response to Re: Restricting user -> database access.  (Tom Lane <tgl@sss.pgh.pa.us>)
Responses Re: Restricting user -> database access.
List pgsql-admin
On Tue, 21 Aug 2001, Tom Lane wrote:

> See "sameuser" option in pg_hba.conf.

I have.  See below.

> > hostssl      bobsdb    a.b.c.d   255.255.255.255   crypt
>
> > This works fine, asks for a password, connects the user, and
> > then they can "\c otherdb" without any problem.
>
> The above line does not allow connections to ANY database other than
> bobsdb.  If anyone can connect to anything else at all, it's because
> you have additional pg_hba lines that you're not showing us.

Before that, I have:

local        all                                           crypt
host         all         127.0.0.1     255.255.255.255     crypt

The above lines should not allow ANYONE access, without a
password, correct?  That's all I have above said lines.

In response to "you have additional pg_hba lines that you're
not showing us", that's all I have.  Honestly.

> > hostssl      bobsdb    a.b.c.d   255.255.255.255   ident   sameuser
>
> "sameuser" in the database column (column 2) was what I was talking
> about.  "sameuser" as an ident argument is a different concept
> altogether.

OK.  I accept that.  While I appreciate your help profusely, you
still haven't said what I'm doing wrong.

As a test, I've configured pg_hba.conf as follows:

local        all                                        crypt
host         all         127.0.0.1  255.255.255.255     crypt

hostssl      balmer      a.b.c.d    255.255.255.255     ident  sameuser
hostssl      ertz        a.b.c.d    255.255.255.255     ident  sameuser

host         all         127.0.0.1  255.255.255.255     crypt

As user 'balmer' from the client machine, I can connect to
the 'balmer' database.  Yay.  :)  And now, as balmer, I can
"\c ertz" and connect to the ertz database.  Not so good.  :(

I can do this, whether the authentication is ident or crypt.
Doesn't matter - once I've authenticated as a user, "\c" works.

Where am I going wrong?

Benny


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
You see, we're leveraging the synergies of our existing open source
solution, without reliance on a single vendor.
Or in english: We use samba cause NT sucks ass.
                                                       --greg@rage.net



pgsql-admin by date:

Previous
From: Tom Lane
Date:
Subject: Re: Restricting user -> database access.
Next
From: Tom Lane
Date:
Subject: Re: Restricting user -> database access.