| From: | Richard Huxton <dev(at)archonet(dot)com> |
|---|---|
| To: | Bill Moran <wmoran(at)collaborativefusion(dot)com> |
| Cc: | woger151 <woger151(at)jqpx37(dot)cotse(dot)net>, pgsql-general(at)postgresql(dot)org |
| Subject: | Re: superuser authentication? |
| Date: | 2007-01-03 15:33:14 |
| Message-ID: | 459BCCBA.5060403@archonet.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
Bill Moran wrote:
>
> Personally, I'd set auth to password, then keep the password in a file in
> root's home directory and set it readable by root only. If an attacker can
> read that file, he already doesn't need to.
>
> This does mean that you'll have to carefully secure the script you use to
> make backups, since they'll need to have the password in them. But you'll
> need to carefully secure your backups anyway or all the other security is
> rather pointless.
I'd run it as a non-root backup-specific user. That way if someone
compromises the backup process they're limited in the amount of damage
they can do (since the user will only have write access to a few
directories). Also makes auditing easier if you're that way inclined.
--
Richard Huxton
Archonet Ltd
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Scott Marlowe | 2007-01-03 15:34:26 | Re: queueing via database table? |
| Previous Message | Richard Huxton | 2007-01-03 15:24:39 | Re: "no unpinned buffers available" ? why? (hstore and |