Re: Thoughts on the location of configuration files
От | Peter Eisentraut |
---|---|
Тема | Re: Thoughts on the location of configuration files |
Дата | |
Msg-id | Pine.LNX.4.30.0112251517410.629-100000@peter.localdomain обсуждение исходный текст |
Ответ на | Re: Thoughts on the location of configuration files (Bruce Momjian <pgman@candle.pha.pa.us>) |
Список | pgsql-hackers |
Bruce Momjian writes: > I have an idea for the Unix socket file permissions and local 'trust' > permissoins as default. Right now we allow the socket permissions to be > set in postgresql.conf, but that seems like the wrong place for it. > > Suppose we add an option to pg_hba.conf for 'local' connections called > 'singleuser' and 'singlegroup' which set enable socket permissions only for the > postgres super-user or his group. This is neither necessarily better, nor even possible. The pg_hba.conf file describes a set (or list) of rules whose input values are certain known parameters from the connection request and whose output value is an authentication method. The permissions of the socket operate on a completely different level: they are considered before a connection request is even generated from the postmaster's point of view, and they don't describe any part of any rule that evaluates to an authentication method, instead they are a scalar state variable of the server. You can have more than one 'local' record, but you can have only one set of permissions for the socket, so it wouldn't work in general cases. Moreover, attaching the permissions to each record gives users a view of the world which really isn't there, which is quite worse, considering that it's a security-related issue. -- Peter Eisentraut peter_e@gmx.net
В списке pgsql-hackers по дате отправления: