Re: The pg_hba.conf file

On Thu, 19 Dec 2002, Bruno Wolff III wrote:
> On Wed, Dec 18, 2002 at 22:38:59 -0700,
> ghaverla(at)freenet(dot)edmonton(dot)ab(dot)ca wrote:
> >
> > 2 --------------------------------
[ ... ]
> > which apparently can be configured to lie. Which leads me to ask
> > the question, is ident trustworthy for local connections? Certainly
>
> Yes. If you can't trust the local machine, then you shouldn't be running
> your postgres server on it. Note that ident for "local" (this doesn't
> include connections to 127.0.0.1) connections does not depend on an ident
> server.

Since I admin the local machine, I guess I can trust myself.
But I was looking to see that identity for the "local" connection
has nothing to do with any ident daemon I may be running (or
not running, which is what I would prefer).

> > 3.1 ---------------------------------------------
> > In the above local ... example, I suspect having "ident sameuser"
> > as the authentication allowing access to the database "sameuser"
> > restricts completely, but the "all" wildcard for the user seems out
> > of place. Something like:
> > local sameuser sameuser ident sameuser
> > seems to better describe the situation, that I only want these
> > connections by UNIX UIDs to databases with the same name as
> > the UNIX UID.
>
> The 'all' in the users field indicates that all users can use the
> database matching their username. If you only want some users to
> be able to do this you can use a list or group there. Having
> 'sameuser' there wouldn't make much sense since the supplied user name is
> also the same as the supplied user name.

It never occured to me, that you would only want to put a subset
of names in the USER field. I agree that having "sameuser" isn't
very clear, but then I didn't think "all" was completely clear
either. "All" seems to mean different things in different
contexts.

> > It's not unusual to see sample pg_hba.conf files, which have
> > a
> > host all all 0.0.0.0 0.0.0.0 reject
> > line at the end. Should a person have similar lines for hostssl
> > and local connections? I.e.:
>
> Well the default will be to reject connections, so they aren't really needed
> except to prevent accidents. However 'host' will match 'hostssl' connections
> (but not vice versa), so you don't need hostssl in addition to host if you
> do that. 'local' connections are different and need a separate entry.

I just like to be in the habit of having an explicit "Default" for
any "switches" I have in code. Having an explicit reject for
local seemed to be a good thing to add.

But, thanks for the clairification.

Gord
--
Matter Realisations http://www.materialisations.com/
Gordon Haverland, B.Sc. M.Eng. President
101 9504 182 St. NW Edmonton, AB, CA T5T 3A7
780/481-8019 ghaverla @ freenet.edmonton.ab.ca
780/993-1274 (alt.)