Re: Re: [HACKERS] pgsql/php3/apache authentication

> >given that, i'm looking at changing things so that i use:
> >
> >local all password
> >host all 127.0.0.1 255.255.255.255 ident sameuser
> >
> >this will force all connections through the unix domain socket to need a
> >password.
> >
> >it will allow unfettered access if the launching process is owned by
> >a valid pg_user.
>
> I always thought ident services should be grouped with fortune cookie
> services and so on :). But, since it's localhost it could work.

Never trust an identd running on a system you don't have a
static ARP entry for - right? Still not secure (on some
systems it's possible to fake the mac address), but good
enough for most purposes.

> >is there a performance penalty associated with forcing the bulk of my
> >processing through the loopback, as opposed to the unix domain socket?
>
> I believe there's a bit more latency but it could be about a millisecond or
> less.
>
> You could always do some benchmarks. e.g. time 1000 queries which return
> lots of data.

One of the reasons for using relational databases is to
reduce the amount of IO needed to get a particular
information. So IPC throughput shouldn't be the a real
problem - except there is some major problem with the DB
layout or the application coding. In that case I'd suggest

if it doesn't fit, don't force it - use a bigger hammer!

Jan

--

#======================================================================#
# It's easier to get forgiveness for being wrong than for being right. #
# Let's break this rule - forgive me. #
#========================================= wieck(at)debis(dot)com (Jan Wieck) #