Thanks for your reply.
On Wed, 2008-08-13 at 08:57 -0600, Scott Marlowe wrote:
> Well, databases are designed to be accessed by people you trust to not
> do really stupid things that can affect the other users.
Well, in a shared hosting scenario this hope can easily
turn out to be in vain, but some sort of trust
in the user to for instance not overload the database
with huge cross joins is required, I agree.
> I'd set up a db per user with pg_hba.conf set to only allow them to
> log into the db of their own name.
I was planing to create an extra role for each database
with the same name as the database and then grant that
role to each user for a single database.
That way I wouldn't have to configure the pg_hba.conf
for each user, and could still have several users for
each database.
The pg_hba line would look as follows
host samerole all localnetwork md5
Do you see any significant problems that could be caused by
this approach?
> Each user = a new database. Let them do what they want to in there.
What about the public schema? I've read some suggestions in various
archived mailing list to revoke the rights to
the public schema in the user databases, would
you recommend doing this? Why?
> Hiding such things would only be security via obscurity and would
> accomplish exactly nothing.. Actually keeping people from logging
> into another user's database is much more important. that you can do
> with pg_hba.conf.
To be sure, keeping users from logging into other
uses databases is the most important thing (and ensuring
they have sufficiently complex passwords)
from a security POV.
But it's also a question of privacy, it's nobody's
business what other databases and users exist
on the system but the superuser's, I think.