Re: Question Two: DB access

From: Tim Frank <tfrank(at)registrar(dot)uoguelph(dot)ca>
To: pgsql-general(at)postgresql(dot)org
Subject: Re: Question Two: DB access
Date: 2001-04-19 03:02:10
Message-ID: 20010419.3021068@cr625228-a.ktchnr1.on.wave.home.com
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-general

Not necessarily, try using the "sameuser" parameter as a DBNAME.

host sameuser xxx.xxx.xxx.xxx 255.255.255.255 password
which would let a user connect to a database equivalent to the username
they are logging in as from the specified IP/mask. Depending on what
users connect from where you might have to repeat this line with
different IP/mask combinations. But it would then only allow users to
connect to a database having their username. It worked for me in my
testing even though I don't actually use this authentication method in my
environment since most DBNAME's don't match with users. In those
instances I have had to use the external password files to help control
this (which is much nicer to do in 7.1 since the password entry in the
external file is option and can be set to use the password in the
database).

Hope that helps.

Tim Frank

>>>>>>>>>>>>>>>>>> Original Message <<<<<<<<<<<<<<<<<<

On 18/04/01, 4:39:17 PM, TheBOFH(at)nc(dot)rr(dot)com (The BOFH) wrote regarding
Question Two: DB access:

> Since I'm used to the MySQL security paradigm/model, I'm having a little
> difficulty understanding the security with pgsql.

> I noticed that once a db is created, any user able to log in to the
server
> can create tables within a database. The docs indicate that I can create
a
> file containing username:[password] combos to allow only listed users
> access to a database, but apparently it's a one file/one database scheme.

> "To restrict the set of users that are allowed to connect to
certain
> databases, list the set of users in a separate file (one user
name
> per
> line) in the same directory that pg_hba.conf is in, and mention
> the (base)
> name of the file after the password or crypt keyword,
> respectively, in
> pg_hba.conf. If you do not use this feature, then any user that
is
> known
> to the database system can connect to any database (so long as
he
> passes password authentication, of course). "

> If I want to allow users access to only their databases, do I create a
> separate file for each database, and then include the allowed users in
that
> file? I'm really after by-database security, as opposed to by-table so
it
> doesn't appear that using groups would help.

> The question then arises: Do I then need to add a separate line in
> pg_hba.conf for each database under this kind of control?

> Thanks

> ---------------------------(end of broadcast)---------------------------
> TIP 6: Have you searched our list archives?

> http://www.postgresql.org/search.mpl

In response to

Browse pgsql-general by date

  From Date Subject
Next Message Tim Frank 2001-04-19 03:06:51 MS Access 97 ODBC opens 2 connections to the backend?
Previous Message Ryan Campbell 2001-04-19 02:07:30 Flattening a subquery