Обсуждение: A question about permissions

Поиск
Список
Период
Сортировка

A question about permissions

От
David Madore
Дата:
Hi.

I have a question about setting up permissions on a PostgreSQL server:
I can't figure out how to get pg_hba.conf set up to do what I want,
and perhaps someone can help me with this.

The problem is the following: I have a small number of users on my
system with a specific PostgreSQL account.  The latter is always named
in the same way as the user, and the pg_hba.conf file states

host all 127.0.0.1 255.255.255.255 ident sameuser

Now I would like to make the databases readable by anyone.  To this
effect, I have created an extra PostgreSQL account, "guest".  And I
would like anyone to be able to access this "guest" account (without,
of course, having to enter a password or anything like that).  How can
I achieve this?  The only solution I can see is to use some specific
identd mapping, and replace the line above by

host all 127.0.0.1 255.255.255.255 ident sameorguest

and write a (very long) pg_ident.conf that maps every username on the
system to "guest" plus every specific account to itself.  But this is
quickly unmanageable as new accounts are being added to the system all
the time.

Surely there must be some better way to achieve such a simple task?

Another (rather distantly related) question: is there some way to
perform uid-based authentication on a UNIX-domain socket?  It seems
absurd to use a TCP socket on localhost and identd for this effect: it
is slower, and identd is sometimes unreliable, whereas credentials can
be sent on a Unix-domain socket through sendmsg() and related
functions.

Thanks for any help.

PS: Please send copy of replies to me personally as I do not receive
mail from the list.  Thanks again.

--
     David A. Madore
    (david.madore@ens.fr,
     http://www.eleves.ens.fr:8080/home/madore/ )

Re: A question about permissions

От
Andrew Gould
Дата:
The following configuration line should allow anyone
to login as him/herself or guest.

host all 127.0.0.1 255.255.255.255 password

I don't think this would weaken your current level of
security, as a user name and password would still be
needed to login as someone else.  You could even
assign passwords that are different from users' system
passwords.

Best of luck,

Andrew Gould

--- David Madore <david.madore@ens.fr> wrote:
> Hi.
>
> I have a question about setting up permissions on a
> PostgreSQL server:
> I can't figure out how to get pg_hba.conf set up to
> do what I want,
> and perhaps someone can help me with this.
>
> The problem is the following: I have a small number
> of users on my
> system with a specific PostgreSQL account.  The
> latter is always named
> in the same way as the user, and the pg_hba.conf
> file states
>
> host all 127.0.0.1 255.255.255.255 ident sameuser
>
> Now I would like to make the databases readable by
> anyone.  To this
> effect, I have created an extra PostgreSQL account,
> "guest".  And I
> would like anyone to be able to access this "guest"
> account (without,
> of course, having to enter a password or anything
> like that).  How can
> I achieve this?  The only solution I can see is to
> use some specific
> identd mapping, and replace the line above by
>
> host all 127.0.0.1 255.255.255.255 ident sameorguest
>
> and write a (very long) pg_ident.conf that maps
> every username on the
> system to "guest" plus every specific account to
> itself.  But this is
> quickly unmanageable as new accounts are being added
> to the system all
> the time.
>
> Surely there must be some better way to achieve such
> a simple task?
>
> Another (rather distantly related) question: is
> there some way to
> perform uid-based authentication on a UNIX-domain
> socket?  It seems
> absurd to use a TCP socket on localhost and identd
> for this effect: it
> is slower, and identd is sometimes unreliable,
> whereas credentials can
> be sent on a Unix-domain socket through sendmsg()
> and related
> functions.
>
> Thanks for any help.
>
> PS: Please send copy of replies to me personally as
> I do not receive
> mail from the list.  Thanks again.
>
> --
>      David A. Madore
>     (david.madore@ens.fr,
>      http://www.eleves.ens.fr:8080/home/madore/ )
>
> ---------------------------(end of
> broadcast)---------------------------
> TIP 6: Have you searched our list archives?
>
> http://archives.postgresql.org


__________________________________________________
Do You Yahoo!?
Send FREE video emails in Yahoo! Mail!
http://promo.yahoo.com/videomail/