On Fri, Nov 13, 2009 at 11:47 AM, Tom Lane
<tgl@sss.pgh.pa.us> wrote:
Joe Miller <
joe.d.miller@gmail.com> writes:
> I have a PostgreSQL installation for which I would like to limit local
> domain socket access to the postgres user and members of the "myadmin"
> group. I've modified pg_hba.conf to trust local domain socket connections,
> and changed these settings in postgresql.conf:
> unix_socket_group = 'myadmin'
> unix_socket_permissions = 0770
> When I look at the socket file in /tmp, I see the following:
> srwx------ 1 postgres postgres 0 Nov 13 10:03 .s.PGSQL.5432
Huh, did you restart the server? Are you sure you modified the right
config file? Those settings obviously didn't "take".
Definitely the right file, and I've restarted multiple times. If I set this:
#unix_socket_group = ''
unix_socket_permissions = 0770
...everything works as I expect. I have access logged in as either root or postgres, but get "permission denied" if I'm logged in as a myadmin user.
If I set this:
unix_socket_group = 'myadmin'
unix_socket_permissions = 0777
...connection is refused for all accounts. For this config, I'd expect to see the socket owned by the myadmin group, but I should have access from any account, correct?
Joe
