superuser authentication?
От | woger151 |
---|---|
Тема | superuser authentication? |
Дата | |
Msg-id | 002801c72f40$ae1f5590$6501a8c0@apollosjf обсуждение исходный текст |
Ответы |
Re: superuser authentication?
|
Список | pgsql-general |
I'm setting up postgresql (8.1) on what I hope to be a very secure server (SUSE Linux 10.1). Only authentication allowed by anyone is 'local' (unix-domain sockets). Most users I plan on authenticating by PASSWORD (web connections are made to an apache webserver over SSL; the actual postgresql connections are themselves all local via pg_connect). What I'm not sure about is how to authenticate the postgresql superuser (user 'postgres' on my system). I'm considering: 1. Using ident (supposedly secure because of the SO_PEERCRED mechanism; and I've made a lot of effort to secure the server at the OS level) 2. Using password (_not_ stored on disk in e.g. pgpass) 3. Using reject My questions: * Is 3 overly paranoid in the context of a production server? * Would 2 or 3 hobble some kind of daemons? (A cursory search led me to think that maybe pg_autovacuum wouldn't work, and I'm not sure if there are other such daemons.) * If the choice came down to 1 vs 2, is there much argument for one over the other in terms of security? (I realize that there might not be a clear answer to that.) TIA
В списке pgsql-general по дате отправления: