Well, that's good news and bad news.
Good news...the application developers' jobs just got a little easier.
Bad news...I get to document why we can't meet this security requirement.
And yes, I agree, it's a pretty air-headed requirement. If I spent
less time chasing compliance, I might actually make the system more
secure.
Ken
On Mon, Jan 31, 2011 at 1:07 PM, Tom Lane <tgl@sss.pgh.pa.us> wrote:
> Kenneth Buckler <kenneth.buckler@gmail.com> writes:
>> Does autovacuum automatically use the 'postgres' role?
>
> It automatically uses the bootstrap superuser role.
>
>> If so, how can I change what role autovacuum uses?
>
> You can't.
>
>> One of the security requirements
>> I've been required to implement removes superuser privileges from
>> postgres and assigns those privileges to a different role.
>
> You can't mess around with the bootstrap superuser. If you like, you
> can cause it to be named something other than "postgres" --- just run
> initdb as some other operating system user name. (I think it would also
> work to do ALTER USER RENAME after the fact, but haven't really
> experimented with the consequences of that.) But otherwise, this
> "security requirement" seems pretty air-headed. You have to have a
> superuser.
>
> regards, tom lane
>