| From: | Joe Miller <joe(dot)d(dot)miller(at)gmail(dot)com> |
|---|---|
| To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
| Cc: | pgsql-admin(at)postgresql(dot)org |
| Subject: | Re: unix_socket_group problem |
| Date: | 2009-11-13 17:08:47 |
| Message-ID: | a7c175b20911130908h4755ee10o9ee8a7bea8a807ca@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-admin |
On Fri, Nov 13, 2009 at 11:47 AM, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
> Joe Miller <joe(dot)d(dot)miller(at)gmail(dot)com> writes:
> > I have a PostgreSQL installation for which I would like to limit local
> > domain socket access to the postgres user and members of the "myadmin"
> > group. I've modified pg_hba.conf to trust local domain socket
> connections,
> > and changed these settings in postgresql.conf:
> > unix_socket_group = 'myadmin'
> > unix_socket_permissions = 0770
>
> Looks reasonable.
>
> > When I look at the socket file in /tmp, I see the following:
> > srwx------ 1 postgres postgres 0 Nov 13 10:03 .s.PGSQL.5432
>
> Huh, did you restart the server? Are you sure you modified the right
> config file? Those settings obviously didn't "take".
>
> Definitely the right file, and I've restarted multiple times. If I set
this:
#unix_socket_group = ''
unix_socket_permissions = 0770
...everything works as I expect. I have access logged in as either root or
postgres, but get "permission denied" if I'm logged in as a myadmin user.
If I set this:
unix_socket_group = 'myadmin'
unix_socket_permissions = 0777
...connection is refused for all accounts. For this config, I'd expect to
see the socket owned by the myadmin group, but I should have access from any
account, correct?
Joe
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Tom Lane | 2009-11-13 17:38:33 | Re: unix_socket_group problem |
| Previous Message | Tom Lane | 2009-11-13 16:47:35 | Re: unix_socket_group problem |