Thread: making another super user other than postgres

Hello everyone;

My systems admin says that he needs to have use of the Postgres user
without a password.  His Debian package manager requires this.

He tells me that he can lock down that user on the system so that there
are no security concerns.

Can someone tell me if this is acceptable?


Also, my method for creating another superuser is to update the
pg_shadow files "usesuper" field to 't'.  Are there any issues I should
be aware of for doing such a thing.  Thanks.

Bob Powell
Database Administrator

On Thu, Nov 11, 2004 at 10:31:28 -0500,
  Bob Powell <Bob@hotchkiss.org> wrote:
> Hello everyone;
>
> My systems admin says that he needs to have use of the Postgres user
> without a password.  His Debian package manager requires this.
>
> He tells me that he can lock down that user on the system so that there
> are no security concerns.
>
> Can someone tell me if this is acceptable?

If they will be connecting to postgres using domain sockets then you can
use ident authentication to limit them to the appropiate postgres accounts
based on their system account.

"Bob Powell" <Bob@hotchkiss.org> writes:
> My systems admin says that he needs to have use of the Postgres user
> without a password.  His Debian package manager requires this.
> He tells me that he can lock down that user on the system so that there
> are no security concerns.

Why can't he put his password in ~/.pgpass?

Or if you don't like that, see if you can set up to let him in with
IDENT.  But using TRUST on a multi-user machine is just asking for
trouble.

> Also, my method for creating another superuser is to update the
> pg_shadow files "usesuper" field to 't'.

The CREATEUSER option to CREATE/ALTER USER is the same thing.

            regards, tom lane

On Thu, 2004-11-11 at 15:31, Bob Powell wrote:
> My systems admin says that he needs to have use of the Postgres user
> without a password.  His Debian package manager requires this.

The PostgreSQL user "postgres" is given the ability to connect to any
database on the local machine without supplying a password.  The Debian
package of PostgreSQL uses "ident sameuser" authentication by default.
This means that you can only connect to PostgreSQL with the same
username as you logged into the system with, and you can only do this
from the local machine.  The "postgres" system user is installed with a
non-valid password, so that it is impossible to login as postgres; you
have to become superuser first and then use su.  The root user can do
this at any time with the command "su - postgres".  He does not need to
supply a password.

I don't know what you mean by "Debian package manager".  If you refer to
the package installation scripts, these run as root and therefore a
package's installation script can adopt at will the identity "postgres"
(which is the id that owns the Debian-installed PostgreSQL database).
If you mean that a particular package needs to run without providing a
password on connect, this can be set up by editing
/etc/postgresql/pg_hba.conf for a particular combination of user, host
and database; whether it is the best way to do it is not determinable
from the information you have provided.

I know that some Debian maintainers (or the upstream package authors)
have not really understood how to use PostgreSQL's authentication
system.  It may be that you need to file bugs on the packages...but we
need more details.

> He tells me that he can lock down that user on the system so that there
> are no security concerns.

> Can someone tell me if this is acceptable?

I would want to know exactly what he was proposing to do before I could
answer that.  Apart from security concerns, if he changes the login
behaviour of the postgres system user, it might cause problems for
package installation scripts, which expect things to be as they are set
up by the postgresql package.

Oliver Elphick
Debian maintainer for PostgreSQL