On Thu, 2004-11-11 at 15:31, Bob Powell wrote:
> My systems admin says that he needs to have use of the Postgres user
> without a password. His Debian package manager requires this.
The PostgreSQL user "postgres" is given the ability to connect to any
database on the local machine without supplying a password. The Debian
package of PostgreSQL uses "ident sameuser" authentication by default.
This means that you can only connect to PostgreSQL with the same
username as you logged into the system with, and you can only do this
from the local machine. The "postgres" system user is installed with a
non-valid password, so that it is impossible to login as postgres; you
have to become superuser first and then use su. The root user can do
this at any time with the command "su - postgres". He does not need to
supply a password.
I don't know what you mean by "Debian package manager". If you refer to
the package installation scripts, these run as root and therefore a
package's installation script can adopt at will the identity "postgres"
(which is the id that owns the Debian-installed PostgreSQL database).
If you mean that a particular package needs to run without providing a
password on connect, this can be set up by editing
/etc/postgresql/pg_hba.conf for a particular combination of user, host
and database; whether it is the best way to do it is not determinable
from the information you have provided.
I know that some Debian maintainers (or the upstream package authors)
have not really understood how to use PostgreSQL's authentication
system. It may be that you need to file bugs on the packages...but we
need more details.
> He tells me that he can lock down that user on the system so that there
> are no security concerns.
> Can someone tell me if this is acceptable?
I would want to know exactly what he was proposing to do before I could
answer that. Apart from security concerns, if he changes the login
behaviour of the postgres system user, it might cause problems for
package installation scripts, which expect things to be as they are set
up by the postgresql package.
Oliver Elphick
Debian maintainer for PostgreSQL