Re: Authorization problem

From: "Pedro Fonseca" <pedro(dot)fonseca(at)netcabo(dot)pt>
To: pgsql-admin(at)postgresql(dot)org
Subject: Re: Authorization problem
Date: 2001-10-05 16:45:36
Message-ID: 9pko47$1o20$1@news.tht.net
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-admin

<hodges(at)xprt(dot)net> wrote in message news:3BBC0096(dot)18900(dot)4AB4F2(at)localhost(dot)(dot)(dot)
> Do you have pgaccess installed? Run it from unix prompt,
> select the database, and put in only the user(s) you want
> to have access. phppgadmin is another program that allows
> you to set users for each database.

Well, I have pgaccess installed, but the users in pgaccess are the
PostgreSQL users. I mean, it's still possible for anyuser in the system to
log in to any database, using any PostgreSQL user.

Let me give an example: let us say that only the system users 'postgres' and
'test_db_user' have matching PostgreSQL users. All other system users don't
own corresponding PostgreSQL users.

However every user in the system can connect to any database as any of the
existing PostgreSQL users. Let us say that I'm the user 'regular_user'
(doesn't have a corresponding PostgreSQL user). I can connect to the
database 'test_db' using the PostgreSQL user 'test_db_user' simply by doing
this:

/usr/local/pgsql/bin/psql test_db test_db_user

You see? Every user in the system, even if he doesn't own a PostgreSQL user,
can connect to any database, as any PostgreSQL user! This is very bad
policy!

This is what happens with the 'trust' AUTHTYPE in pg_hba.conf. Again, one
way around this would be to use the AUTHTYPE 'ident', and then create a map.
But this AUTHTYPE only works for TCP/IP connections, and I don't want to use
that because everything is happening on the same machine. Also, it's a
bummer to have to authenticate everytime with passwords...

Isn't there a way to solve this? It would be cool if one would be able to
have a map for the 'local' TYPE, like the one we can have for the 'host'
TYPE, in pg_hba.conf.

Please, any ideas?

--
______________________________________________________________________
Pedro Fonseca (pedro(dot)fonseca(at)iscte(dot)pt)
Mob.: (+351)964598357
http://www.pedrofonseca.com
ADETTI/ISCTE (Instituto Superior de Cincias do Trabalho e da Empresa)

In response to

Browse pgsql-admin by date

  From Date Subject
Next Message Brett W. McCoy 2001-10-05 16:56:13 Re: Postmaster startup
Previous Message Jeff Boes 2001-10-05 16:13:27 Redo record at high number