Skip site navigation (1) Skip section navigation (2)

Re: postgres database user account

From: "Maria L(dot) Wilson" <Maria(dot)L(dot)Wilson-1(at)nasa(dot)gov>
To: "Plugge, Joe R(dot)" <JRPlugge(at)west(dot)com>
Cc: "Wilson, Maria Louise (LARC-E301)[SCIENCE SYSTEMS APPLICATIONS]"<m(dot)l(dot)wilson(at)nasa(dot)gov>, "pgsql-admin(at)postgresql(dot)org"<pgsql-admin(at)postgresql(dot)org>
Subject: Re: postgres database user account
Date: 2010-06-30 20:15:44
Message-ID: 4C2BA5F0.1020908@nasa.gov (view raw or flat)
Thread:
Lists: pgsql-admin
that sounds similar to what we are trying to accomplish.  Looks like 
what we need to do is use the sudo at the OS level - and remove the 
postgres db user account altogether....  giving specific users the privs 
(or create roles) that accomplish what they need.

Plugge, Joe R. wrote:
> If the user is allowed to become (sudo - postgres) they can stop, start, the database and then change the pg_hba.conf, created unrestricted access into the database, even from remote machines.  Typically on our systems, we do not allow users to log into the actual machine, rather create roles in the database according to their needs and then have them come in from another machine.  This keeps all sorts of undesirable behavior (zcat, grep, cut, awk, programs running etc) off of your database machine.
>
> -----Original Message-----
> From: Maria L. Wilson [mailto:Maria(dot)L(dot)Wilson-1(at)nasa(dot)gov] 
> Sent: Wednesday, June 30, 2010 3:03 PM
> To: Plugge, Joe R.
> Cc: Wilson, Maria Louise (LARC-E301)[SCIENCE SYSTEMS APPLICATIONS]; pgsql-admin(at)postgresql(dot)org
> Subject: Re: [ADMIN] postgres database user account
>
> ok - thanks that makes sense....
>
> so what about the operating system account that is different?  What we 
> are planning on doing with the OS acct (postgres) is only allowing users 
> sudo ability to this account.  Nobody should be able to directly log 
> into it.  Do you think that will cause problems?
>
> thanks again - Maria
>
> Plugge, Joe R. wrote:
>   
>> Yes, you can create a role that is a superuser that should be able to do internal work:
>>
>> CREATE ROLE myuser;
>> ALTER ROLE myuser WITH SUPERUSER INHERIT CREATEROLE CREATEDB LOGIN PASSWORD 'mypassword' VALID UNTIL 'infinity';
>>
>> If you are talking about the operating system account named postgres, then this is a different question.
>>
>> -----Original Message-----
>> From: pgsql-admin-owner(at)postgresql(dot)org [mailto:pgsql-admin-owner(at)postgresql(dot)org] On Behalf Of Maria L. Wilson
>> Sent: Wednesday, June 30, 2010 2:15 PM
>> To: pgsql-admin(at)postgresql(dot)org
>> Subject: [ADMIN] postgres database user account
>>
>> Hoping someone out there can answer this general question(s)....  I am 
>> having to justify having access to the "postgres" database user account 
>> to do DBA type work.....
>> Is there any specific items that require the postgres database user 
>> account to run?
>>
>> Can any general user (with superuser permission) basically do what this 
>> postgres account does?
>>
>> thanks,  Maria Wilson
>> Nasa/Langley Research Center
>> Hampton, Virginia 23681
>>
>>   
>>     

In response to

Responses

pgsql-admin by date

Next:From: Tom LaneDate: 2010-06-30 20:16:43
Subject: Re: postgres database user account
Previous:From: Maria L. WilsonDate: 2010-06-30 20:13:17
Subject: Re: postgres database user account

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group