A question about permissions
Hi.
I have a question about setting up permissions on a PostgreSQL server:
I can't figure out how to get pg_hba.conf set up to do what I want,
and perhaps someone can help me with this.
The problem is the following: I have a small number of users on my
system with a specific PostgreSQL account. The latter is always named
in the same way as the user, and the pg_hba.conf file states
host all 127.0.0.1 255.255.255.255 ident sameuser
Now I would like to make the databases readable by anyone. To this
effect, I have created an extra PostgreSQL account, "guest". And I
would like anyone to be able to access this "guest" account (without,
of course, having to enter a password or anything like that). How can
I achieve this? The only solution I can see is to use some specific
identd mapping, and replace the line above by
host all 127.0.0.1 255.255.255.255 ident sameorguest
and write a (very long) pg_ident.conf that maps every username on the
system to "guest" plus every specific account to itself. But this is
quickly unmanageable as new accounts are being added to the system all
the time.
Surely there must be some better way to achieve such a simple task?
Another (rather distantly related) question: is there some way to
perform uid-based authentication on a UNIX-domain socket? It seems
absurd to use a TCP socket on localhost and identd for this effect: it
is slower, and identd is sometimes unreliable, whereas credentials can
be sent on a Unix-domain socket through sendmsg() and related
functions.
Thanks for any help.
PS: Please send copy of replies to me personally as I do not receive
mail from the list. Thanks again.
--
David A. Madore
(david.madore@ens.fr,
http://www.eleves.ens.fr:8080/home/madore/ )
The following configuration line should allow anyone
to login as him/herself or guest.
host all 127.0.0.1 255.255.255.255 password
I don't think this would weaken your current level of
security, as a user name and password would still be
needed to login as someone else. You could even
assign passwords that are different from users' system
passwords.
Best of luck,
Andrew Gould
--- David Madore <david.madore@ens.fr> wrote:Hi.
I have a question about setting up permissions on a
PostgreSQL server:
I can't figure out how to get pg_hba.conf set up to
do what I want,
and perhaps someone can help me with this.The problem is the following: I have a small number
of users on my
system with a specific PostgreSQL account. The
latter is always named
in the same way as the user, and the pg_hba.conf
file stateshost all 127.0.0.1 255.255.255.255 ident sameuser
Now I would like to make the databases readable by
anyone. To this
effect, I have created an extra PostgreSQL account,
"guest". And I
would like anyone to be able to access this "guest"
account (without,
of course, having to enter a password or anything
like that). How can
I achieve this? The only solution I can see is to
use some specific
identd mapping, and replace the line above byhost all 127.0.0.1 255.255.255.255 ident sameorguest
and write a (very long) pg_ident.conf that maps
every username on the
system to "guest" plus every specific account to
itself. But this is
quickly unmanageable as new accounts are being added
to the system all
the time.Surely there must be some better way to achieve such
a simple task?Another (rather distantly related) question: is
there some way to
perform uid-based authentication on a UNIX-domain
socket? It seems
absurd to use a TCP socket on localhost and identd
for this effect: it
is slower, and identd is sometimes unreliable,
whereas credentials can
be sent on a Unix-domain socket through sendmsg()
and related
functions.Thanks for any help.
PS: Please send copy of replies to me personally as
I do not receive
mail from the list. Thanks again.--
David A. Madore
(david.madore@ens.fr,
http://www.eleves.ens.fr:8080/home/madore/ )---------------------------(end of
broadcast)---------------------------
TIP 6: Have you searched our list archives?
__________________________________________________
Do You Yahoo!?
Send FREE video emails in Yahoo! Mail!
http://promo.yahoo.com/videomail/