* Bruce Momjian (bruce@momjian.us) wrote:
> On Mon, Jan 4, 2016 at 12:55:16PM -0500, Stephen Frost wrote:
> > I'd like to be able to include, in both of those, a simple set of
> > instructions for granting the necessary rights to the user who is
> > running those processes. A set of rights which an administrator can go
> > look up and easily read and understand the result of those grants. For
> > example:
> >
> ...
> > pgbackrest:
> >
> > To run pgbackrest as a non-superuser and not the 'postgres' system
> > user, grant the pg_backup role to the backrest user and ensure the
> > backrest system user has read access to the database files (eg: by
> > having the system user be a member of the 'postgres' group):
> ------
>
> Just to clarify, the 'postgres' OS user group cannot read the data
> directory, e.g.
>
> drwx------ 19 postgres staff 4096 Jan 17 12:19 data/
> ^^^group
>
> I assume we don't want to change that.
This is going to be distribution dependent, unfortunately. On
Debian-based distributions, the group is 'postgres' and it'd be
perfectly reasonable to allow that group to read the data directory.
I don't recall offhand if that means we'd have to make changes to allow
that, but, for my 2c, I don't see why we wouldn't allow it to be an
option.
Thanks!
Stephen