Re: Getting a DB password to work without editing pg_hba.conf,

From: Madison Kelly <linux(at)alteeve(dot)com>
To: PgSQL General List <pgsql-general(at)postgresql(dot)org>
Subject: Re: Getting a DB password to work without editing pg_hba.conf,
Date: 2005-12-16 20:19:44
Message-ID: 43A32160.7090208@alteeve.com
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-general

Tom Lane wrote:
> Madison Kelly <linux(at)alteeve(dot)com> writes:
>
>>May I ask then? What *is* considered "best practices" for securing a
>>database in PostgreSQL? Assuming I leave the 'pg_hba.conf' file at it's
>>default values, is there any real point to having a password on a
>>postgresql user account?
>
>
> Well, if there were a single "best practice" then we'd not need to offer
> so many options ;-). It depends a lot on your needs and environment.
> On a single-user machine where you're not allowing any remote
> connections, you might as well use "trust" --- I tend to run all my
> development installations that way. Ident can be pretty convenient too
> for local users (I wouldn't trust it for remote connections though).
> Otherwise you probably need passwords.
>
> In any case, this just applies to whether you let someone connect or
> not. What they can do after they've connected is a different
> discussion. For that you use SQL privileges (GRANT/REVOKE).
>
> regards, tom lane

In this case I can't predict what a given install's postgresql will
be used for (outside of my program) because it is meant for general
distribution (it's a backup program). This obviously makes things a lot
more complicated. :p

While I developed the program that is what I did, just changed from
'ident' to 'trust'. Now though I am trying to keep what the end user
needs to do to a minimum because I've aimed the backup program at more
novice users (though not excluively). That is the biggest reason why I
am trying to work with the stock 'pg_hba.conf' file (understanding that
it can change from one distro to the next). Generally though I've only
seen the same 'local...' settings.

In my program the database needs to reside on the local machine so as
far as I am concerned my only worry is the 'local...' settings. There
may be issues with connections coming in over 'host...' connections but
I want to deal with one issue at a time. :p

So what purpose does the password on the user account accomplish? Is
it essentially useless in my scenario?

Again, thanks for your help/time!

Madison

PS - I read about 'GRANT/REVOKE' but I have to admit the postgres docs
on the topic didn't help me much. I need something a little more
"junior". :p

--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Madison Kelly (Digimer)
TLE-BU; The Linux Experience, Back Up
Main Project Page: http://tle-bu.org
Community Forum: http://forum.tle-bu.org
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

In response to

Responses

Browse pgsql-general by date

  From Date Subject
Next Message Michael Fuhr 2005-12-16 20:21:52 Re: Transacciones Anidadas
Previous Message Niblett, David A 2005-12-16 20:14:57 PL/pgSQL Function Help