Tom Lane <tgl@sss.pgh.pa.us> writes:
> Arcady Genkin <a.genkin@utoronto.ca> writes:
> > Tom Lane <tgl@sss.pgh.pa.us> writes:
> >> Offhand I'd think it foolish to make it easier to get into the
> >> superuser account than regular accounts anyway.
>
> > Not so much if the database only listens on unix domain socket, which
> > has tight permissions, and a UNIX user has to identify himself with a
> > valid password anyways.
>
> So? If you can trust local connections from the user who is superuser
> to be correctly authenticated, then you can also trust local connections
> from the users who are non-superusers. I really completely fail to see
> the point of requiring a password to connect to non-critical accounts
> while having no password (*LESS* security) for the critical superuser
> account.
Suppose that one of the non-superusers accounts is user `apache'.
There is a higher chance that this user account is compromised, than
the `postgres' account. I can see your point, though.
--
Arcady Genkin