Re: Thoughts on the location of configuration files
Bruce Momjian <pgman@candle.pha.pa.us>
From: Bruce Momjian <pgman@candle.pha.pa.us>
To: PostgreSQL-development <pgsql-hackers@postgreSQL.org>
Cc: Tom Lane <tgl@sss.pgh.pa.us>, Peter Eisentraut <peter_e@gmx.net>
Date: 2001-12-24T04:39:47Z
Lists: pgsql-hackers
> How many people really use unix socket permissions in postgresql.conf? > Probably very few. We could announce when it goes away, and even throw > an error if it appears in postgresql.conf. Seems that would clear it up > and make the feature much more usable. > > Security is very easy to mess up. That's why I think clarity is > important. If we are going to change the default socket permissions to > 700, that clearly would be a good time to make the change, no? Now that I look at postgresql.conf, I do see lots of connection-related stuff: # # Connection Parameters # #tcpip_socket = false #ssl = false #max_connections = 32 #port = 5432 #hostname_lookup = false #show_source_port = false #unix_socket_directory = '' #unix_socket_group = '' #unix_socket_permissions = 0777 #virtual_host = '' #krb_server_keyfile = '' I guess my problem is that we will have 'trust' in pg_hba.conf, but then override that in postgresql.conf by restricting permissions to one user. That seems kind of strange. We may have to change pg_hba.conf 'trust' anyway to something like 'socketpermit', or remove the permission setting in postgresql.conf and add the two new ones I suggested, singleuser, and singlegroup. -- Bruce Momjian | http://candle.pha.pa.us pgman@candle.pha.pa.us | (610) 853-3000 + If your life is a hard drive, | 830 Blythe Avenue + Christ can be your backup. | Drexel Hill, Pennsylvania 19026