Thread: Trouble setting up access privileges

Trouble setting up access privileges

From
mkrist@binf.ku.dk
Date:
Hi pgsql-admin mailing list,

I'm having some problems setting up access privileges via pg_hba.conf. The
problem is that it seems that some Linux user accounts have password-less
access to the pgsql databases via the 'pgsql' CLI tool even though I try to
enforce md5 password protection.

The relevant line in pg_hba.conf is this:
host    all         mette,mkrist       10.10.0.0        255.255.0.0       md5

If I'm logged in as the Linux user "mkrist" and try to log in to a database as
either the pgsql user "mette" or the pgsql user "mkrist" it requires me to
enter a password (which it then accepts and logs me in).

But if I'm OTOH logged in as the Linux user "mette" it only requires me to
enter a password if I try to login to a database with the pgsql user "mkrist"
(which it then accepts). If I try to login as the pgsql user "mette" it logs
in without asking for a password.

I can't find anything in the documentation about exceptions from the
pg_hba.conf rules, so I'm quite surprised by this behaviour.

Thank you, I'd appreciate any help.

--
Michael Kristensen <mkrist@binf.ku.dk>
IT-studentermedhjælper / Sysadm student aid
BINF

Re: Trouble setting up access privileges

From
Tom Lane
Date:
mkrist@binf.ku.dk writes:
> The relevant line in pg_hba.conf is this:
> host    all         mette,mkrist       10.10.0.0        255.255.0.0       md5

What are the *other* lines in pg_hba.conf?

> I can't find anything in the documentation about exceptions from the
> pg_hba.conf rules,

There aren't any.  The likely explanations are that (1) some earlier
line in pg_hba.conf is capturing the connection, (2) you are looking
at the wrong copy of pg_hba.conf, (3) you edited pg_hba.conf but
forgot to SIGHUP the postmaster, (4) you have a ~/.pgpass file on
the client side that is silently supplying a password in some of
these cases.

            regards, tom lane

Re: Trouble setting up access privileges

From
mkrist@binf.ku.dk
Date:
On Mon, Sep 15, 2008 at 01:08:08PM -0400, Tom Lane wrote:
...
> forgot to SIGHUP the postmaster, (4) you have a ~/.pgpass file on
> the client side that is silently supplying a password in some of
> these cases.

It seems the user had this ~/.pgpass file and that this was the reason. Thanks
for pointing out the possibility.

Why isn't this ~/.pgpass file documented in
http://www.postgresql.org/docs/8.3/static/auth-pg-hba-conf.html ?

Again, thank you, I appreciate it.

--
Michael Kristensen <mkrist@binf.ku.dk>
IT-studentermedhj?lper / Sysadm student aid
BINF