| From: | Kenneth Buckler <kenneth(dot)buckler(at)gmail(dot)com> |
|---|---|
| To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
| Cc: | pgsql-general(at)postgresql(dot)org |
| Subject: | Re: Autovacuum Issues? |
| Date: | 2011-01-31 20:12:20 |
| Message-ID: | AANLkTi=KmoCG61xAsXPOcx-RUM-FOudFKJ-rUs5SM+mr@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
Well, that's good news and bad news.
Good news...the application developers' jobs just got a little easier.
Bad news...I get to document why we can't meet this security requirement.
And yes, I agree, it's a pretty air-headed requirement. If I spent
less time chasing compliance, I might actually make the system more
secure.
Ken
On Mon, Jan 31, 2011 at 1:07 PM, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
> Kenneth Buckler <kenneth(dot)buckler(at)gmail(dot)com> writes:
>> Does autovacuum automatically use the 'postgres' role?
>
> It automatically uses the bootstrap superuser role.
>
>> If so, how can I change what role autovacuum uses?
>
> You can't.
>
>> One of the security requirements
>> I've been required to implement removes superuser privileges from
>> postgres and assigns those privileges to a different role.
>
> You can't mess around with the bootstrap superuser. If you like, you
> can cause it to be named something other than "postgres" --- just run
> initdb as some other operating system user name. (I think it would also
> work to do ALTER USER RENAME after the fact, but haven't really
> experimented with the consequences of that.) But otherwise, this
> "security requirement" seems pretty air-headed. You have to have a
> superuser.
>
> regards, tom lane
>
| From | Date | Subject | |
|---|---|---|---|
| Next Message | asia123321 | 2011-01-31 20:12:45 | Re: Update existing system explicit cast to make it implicit |
| Previous Message | asia123321 | 2011-01-31 20:07:07 | Re: Update existing system explicit cast to make it implicit |