Обсуждение: Is it okay to run Postgres service account as a domain account (on Linux)?
Just wondering if it is recommended, or not, to run Postgres as a domain account on Linux. If not, then why not?
Thank you,
David
Re: Is it okay to run Postgres service account as a domain account(on Linux)?
От
Alvaro Aguayo Garcia-Rada
Дата:
Even when possible, I won't recommend it; not for postgres reasons, but for security. If someone compromises the domain account,could gain access to postgres data with no restriction. Unless there is a reason to use a domain account, of source. Saludos, Alvaro Aguayo Jefe de Operaciones Open Comb Systems E.I.R.L. Oficina: (+51-1) 3377813 | Cel.: (+51) 995540103 | RPC: (+51) 954183248 Website: www.ocs.pe ----- Original Message ----- From: "David" <dbwagoner@gmail.com> To: "pgsql-admin" <pgsql-admin@postgresql.org> Sent: Monday, 26 February, 2018 11:22:34 Subject: Is it okay to run Postgres service account as a domain account (on Linux)? Just wondering if it is recommended, or not, to run Postgres as a domain account on Linux. If not, then why not? Thank you, David
Re: Is it okay to run Postgres service account as a domain account(on Linux)?
От
Azimuddin Mohammed
Дата:
If you want to run postgres with a different account I say why not. While initializing the db you need to mention what user u want to run as super user.
On Feb 26, 2018 1:50 PM, "Alvaro Aguayo Garcia-Rada" <aaguayo@opensysperu.com> wrote:
Even when possible, I won't recommend it; not for postgres reasons, but for security. If someone compromises the domain account, could gain access to postgres data with no restriction. Unless there is a reason to use a domain account, of source.
Saludos,
Alvaro Aguayo
Jefe de Operaciones
Open Comb Systems E.I.R.L.
Oficina: (+51-1) 3377813 | Cel.: (+51) 995540103 | RPC: (+51) 954183248
Website: www.ocs.pe
----- Original Message -----
From: "David" <dbwagoner@gmail.com>
To: "pgsql-admin" <pgsql-admin@postgresql.org>
Sent: Monday, 26 February, 2018 11:22:34
Subject: Is it okay to run Postgres service account as a domain account (on Linux)?
Just wondering if it is recommended, or not, to run Postgres as a domain
account on Linux. If not, then why not?
Thank you,
David
Just wondering if it is recommended, or not, to run Postgres as a domain account on Linux. If not, then why not?Thank you,David
What problem is this solving?
If your running postgres on Linux, you have to have a Linux account on the server to run postgres[1]. It would be possible to have the linux server configured to use AD/Kerberos for authentication and that might be justified in some environments e.g. where you have a Windows based identity and access management system, but you will still need an account on the Linux system. The downside of doing this is that your just adding another possible failure point.
You are probably better off just going with 'standard' practices and have the normal postgres user, but restrict access to the server. You can then have a separate administrator account which uses AD/Kerberos and do all your administration using that account (or a number of accounts with minimum access levels needed depending on your requirements, such as one per database).
1. There are 'clever' things you can do to enable those with AD accounts to login to a Linux system which does not require running 'adduser' on the Linux host, but these solutions tend not to work well when you want to run 'services' on that host using one of those accounts. For example, you have to add 'clevel' boot facilities to ensure the AD/Kerberos infrastructure is running before the postgres server and if it isn't, deal with things gracefully etc. Things quickly become very complicated.
On 27 February 2018 at 03:22, David <dbwagoner@gmail.com> wrote:
Just wondering if it is recommended, or not, to run Postgres as a domain account on Linux. If not, then why not?Thank you,David
regards,
Tim
--
Tim Cross