Re: DB Access Restrictions

Kris Deugau wrote:
> I'm finalizing the setup to be used to host customer DBs for a domain
> hosting service, and I'd like to make sure I've got the access controls
> straight:
>
> In pg_hba.conf, I've seen and managed to figure out *most* of how access
> to the various DBs can be controlled. I'll be using the "password"

If your network is not secure, I recommend MD5. In fact, we recommend
MD5 with encrypted_passwords enabled in postgresql.conf in almost all
cases. Encrypted passwords will be the default in 7.3.

> authentication, most likely with either sameuser or all:
> -> db of "sameuser" *REQUIRES* that the connecting user have the same
> name as the database they're trying to connect to - for ANYONE
> using this access method
> -> db of "all" lets the access control slip down a level to whether a
> user has provided the proper password.
>
> Is there any way to simply specify a list of users for each db? I

In 7.3, due out in a few months, there is a USER column where you can
list users or specify a filename containing usernames.

> haven't been able to figure out if that's possible or not with
> "password" authentication. (ident is useless; all DB access except
> limited administrative control on my part will be via PHP across the
> local UNIX socket- and ident will return "apache" if it returns anything
> useful at all.)

In 7.2.X and earlier, the only way is to specify a secondary password
file, and list user names in there. You don't actually need the
passwords in the file, just the usernames, but again, that only works
with 'password', I think.

--
Bruce Momjian | http://candle.pha.pa.us
pgman(at)candle(dot)pha(dot)pa(dot)us | (610) 359-1001
+ If your life is a hard drive, | 13 Roberts Road
+ Christ can be your backup. | Newtown Square, Pennsylvania 19073