This page in other versions: 8.4 / 9.0 / 9.1 / 9.2 / 9.3  |  Development versions: devel  |  Unsupported versions: 8.2 / 8.3

17.1. The PostgreSQL User Account

As with any server daemon that is accessible to the outside world, it is advisable to run PostgreSQL under a separate user account. This user account should only own the data that is managed by the server, and should not be shared with other daemons. (For example, using the user nobody is a bad idea.) It is not advisable to install executables owned by this user because compromised systems could then modify their own binaries.

To add a Unix user account to your system, look for a command useradd or adduser. The user name postgres is often used, and is assumed throughout this book, but you can use another name if you like.

Comments


Oct. 20, 2010, 5:21 a.m.

(Copied and modified from v8.3 & v8.4 user comments and tested on OS X 10.6.4)

Mac OS X users:
Because OS X uses Open Directory to manage user accounts, there is no useradd/adduser command to speak of.
Instead, one may use a directory services utility to add a new user. This utility varies depending on your OS X version.

OS X 10.0–10.4:
Use the NetInfo Manager.app in /Applications/Utilities

OS X 10.5–10.6:
Use the dscl command-line utility.

You will need to create a new postgres user, and corresponding group for that user. You will need sudo or root access to create that user account.

Although the manual does not mention groups, it is a good idea to give the user account its own group as well. This prevents any files in the database cluster with group write-access from being modified by other users.

To create the user account and group from the Terminal application, first find an unused group ID and an unused user ID. To see the IDs that are currently in use, type

$ sudo dscl . -list /Groups PrimaryGroupID
$ sudo dscl . -list /Users UniqueID

or if it helps you to see just a sorted list of IDs, type

$ sudo dscl . -list /Users UniqueID |awk '{print $2 "\t" $1}' |sort -b -g
$ sudo dscl . -list /Groups PrimaryGroupID |awk '{print $2 "\t" $1}' |sort -b -g

Assuming that group ID 50 and user ID 100 are not in use (change the group ID to an unused one on your system), first create the group _postgres by typing:

$ sudo dscl . -create /Groups/_postgres
$ sudo dscl . -create /Groups/_postgres PrimaryGroupID 50
$ sudo dscl . -append /Groups/_postgres RecordName postgres

(Leopard precedes daemon names with an underscore. The last command created an alias without the underscore, though, so that you can forget the underscore exists.)

Then create the user account _postgres (change the user ID to an unused one on your system) by typing:

$ sudo dscl . -create /Users/_postgres
$ sudo dscl . -create /Users/_postgres UniqueID 100
$ sudo dscl . -create /Users/_postgres PrimaryGroupID 50
$ sudo dscl . -create /Users/_postgres UserShell /bin/bash
$ sudo dscl . -create /Users/_postgres RealName "PostgreSQL Server"
$ sudo dscl . -create /Users/_postgres NFSHomeDirectory /usr/local/pgsql
$ sudo dscl . -append /Users/_postgres RecordName postgres

You can check the user variables with this command:
$ sudo dscl . -read /Users/_postgres

The user account is now created. It is not given a password intentionally. This prevents anyone but root from logging in as postgres. To use the postgres user account, type

$ sudo su - postgres

When the database cluster is initialised, you want the cluster to not only be owned by the postgres user, but also by the postgres group. Replace the chown line in Section 17.2 with

root# chown postgres.postgres /usr/local/pgsql/data

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group