Re: server authentication over Unix-domain sockets

On Fri, Jun 11, 2010 at 14:07, Stephen Frost <sfrost(at)snowman(dot)net> wrote:
> * Peter Eisentraut (peter_e(at)gmx(dot)net) wrote:
>> The patch needs some portability work and possible refactoring because
>> of that, but before I embark on that, comments on the concept?
>
> I definitely like the idea but I dislike requiring the user to do
> something to implement it.  Thinking about how packagers might want to
> use it, could we make it possible to build it defaulted to a specific
> value (eg: 'postgres' on Debian) and allow users a way to override
> and/or unset it?

Well, even if we don't put that in, the packager could export a global
PGREQUIREPEER environment variable.

> Having the option wouldn't do much unless users know of it and use it
> and it strikes that will very often not be the case.
>
> I'm impartial towards whatever PG wants to do with the default, just so
> long as packagers can override it and set it to something specific.
> Also, to that end, it's got to be name-based.  Exim in Debian did
> something similar and actually tried to force a particular UID..  that
> was horrid. :)  On Debian, at least, the user is almost always
> 'postgres', but the UID will vary depending on exactly when the packages
> were installed (before or after other system-user-creating packages).

Oh yes, absolutely name-based.

--
Magnus Hagander
Me: http://www.hagander.net/
Work: http://www.redpill-linpro.com/