Skip site navigation (1) Skip section navigation (2)

Re: Connect error

From: Bill Moseley <moseley(at)hank(dot)org>
To: pgsql-novice(at)postgresql(dot)org
Subject: Re: Connect error
Date: 2004-01-12 23:58:49
Message-ID: 20040112235849.GC19901@hank.org (view raw, whole thread or download thread mbox)
Thread:
Lists: pgsql-novice
OK, I think I get it now.

For a database "newdb", created by user moseley and to only
allow connections from user moseley and the web server running as www-data
add the following line early:

    # TYPE  DATABASE    USER    IP-ADDRESS  IP-MASK   METHOD
    local    newdb       all                          ident webaccess

So, all unix-domain connections (local) trying to connect to user "newdb"
will check the "webaccess" map in the pg_ident.conf file.

    webaccess    moseley  moseley
    webaccess    www-data moseley

The first one is basically duplicating the "sameuser" feature.
Connection requests as user moseley must ident as user moseley.

The second one says connections for user moseley can ident as
"www-data".  "www-data" does not need to be a postgres user, of course.

    bumby:~$ whoami
    www-data

    bumby:~$ psql -Umoseley newdb
    Welcome to psql 7.4.1, the PostgreSQL interactive terminal.

Now, to allow host connections (which is how my web application would
connect), add the "host" line:


    # TYPE  DATABASE    USER    IP-ADDRES   IP-MASK   METHOD
    local    newdb       all                          ident webaccess
    host     newdb       all 127.0.0.1 255.255.255.255 ident webaccess

I'm running Debian sid which didn't have ident running, so I installed
the ident2 package before this would work.


I'm just learning, but...

I doubt I would use this method.  Instead I'd use the md5 method
and load the password into the web server on startup (when running as
root).  That won't work with CGI programs, but will with mod_perl, for
example.  With the above method anyone with access to the web server can
access the newdb database.  Using a username and password also allows
GRANT permissions per user.




-- 
Bill Moseley
moseley(at)hank(dot)org


In response to

pgsql-novice by date

Next:From: Russell ShawDate: 2004-01-13 03:38:04
Subject: Re: Connect error
Previous:From: Bruno Wolff IIIDate: 2004-01-12 20:12:54
Subject: Re: [Ignor Whois] Re: Connect error

Privacy Policy | About PostgreSQL
Copyright © 1996-2017 The PostgreSQL Global Development Group