Thread: In what situations do you use -U of initdb?
Hello, Currently, we are developing some tool for PostgreSQL. To determine the functional specification, I would like to ask PostgreSQLusers about the necessity of support for the -U option of initdb. In what situations do you use -U option of initdb? Is it essential for what reason? I'm not sure whether there are any situations where the DBAs need to use different username/password pairs for the OS userwho starts/stops the database server, and the database superuser. Regards Takayuki Tsunakawa
Package systems which create an automatic user account for your postgresql instance, for example in OpenBSD: system user: _postgresql (in accordance to OpenBSD ports rules) db user: postgres I always use: initdb -U postgres Because that's what everyone expects it to be... On Sun, May 12, 2013 at 11:20 PM, Tsunakawa, Takayuki <tsunakawa.takay@jp.fujitsu.com> wrote: > Hello, > > Currently, we are developing some tool for PostgreSQL. To determine the functional specification, I would like to askPostgreSQL users about the necessity of support for the -U option of initdb. > > In what situations do you use -U option of initdb? Is it essential for what reason? > > I'm not sure whether there are any situations where the DBAs need to use different username/password pairs for the OS userwho starts/stops the database server, and the database superuser. > > > Regards > Takayuki Tsunakawa > > > -- > Sent via pgsql-general mailing list (pgsql-general@postgresql.org) > To make changes to your subscription: > http://www.postgresql.org/mailpref/pgsql-general
Thanks. I didn't even imagine such a situation. I'd like to hear other cases like: - Packaged applications (not OS) that embeds or uses PostgreSQL - The corporate environment where some security policy is enforced that the OS user and the database administrator user mustbe different Regards Takayuki Tsunakawa > -----Original Message----- > From: pgsql-general-owner@postgresql.org > [mailto:pgsql-general-owner@postgresql.org] On Behalf Of Abel Abraham > Camarillo Ojeda > Sent: Monday, May 13, 2013 2:01 PM > To: Tsunakawa, Takayuki/綱川 貴之 > Cc: pgsql-general@postgresql.org > Subject: Re: [GENERAL] In what situations do you use -U of initdb? > > Package systems which create an automatic user account for your > postgresql instance, for example in OpenBSD: > > system user: _postgresql (in accordance to OpenBSD ports rules) > db user: postgres > > I always use: > > initdb -U postgres > > Because that's what everyone expects it to be... >
On May 13, 2013, at 12:20 AM, Tsunakawa, Takayuki wrote: > I'm not sure whether there are any situations where the DBAs need to use different username/password pairs for the OS userwho starts/stops the database server, and the database superuser. I was thinking obscurity might be a good feature for some servers. In the case of a brute force login attack, the attackerwould need to figure out the username. If the default is taken, the attacker would be less hindered.
"Tsunakawa, Takayuki" <tsunakawa.takay@jp.fujitsu.com> wrote: > I'd like to hear other cases like: > > - Packaged applications (not OS) that embeds or uses PostgreSQL > - The corporate environment where some security policy is > enforced that the OS user and the database administrator user > must be different Well, where I used to work, we had many instances of PostgreSQL running on a server, and found it to be *very* good policy to use a different OS user to run each cluster. We wanted the inital superuser login to match the OS user, for "trust" login. (The superuser login had no password; you had to log in as yourself and run use sudo to run as a database superuser, or root could schedule crontab jobs to run as a database superuser.) So, essentially, the database superuser was always a name meaningful for the cluster -- never postgres. We never liked to allow any OS login except as an identifiable person, and then we could track who was logged in when and what they ran through sudo. -- Kevin Grittner EnterpriseDB: http://www.enterprisedb.com The Enterprise PostgreSQL Company