Re: Thoughts on the location of configuration files

Bruce Momjian <pgman@candle.pha.pa.us>

From: Bruce Momjian <pgman@candle.pha.pa.us>
To: PostgreSQL-development <pgsql-hackers@postgreSQL.org>
Cc: Tom Lane <tgl@sss.pgh.pa.us>, Peter Eisentraut <peter_e@gmx.net>
Date: 2001-12-24T04:39:47Z
Lists: pgsql-hackers
> How many people really use unix socket permissions in postgresql.conf?
> Probably very few.  We could announce when it goes away, and even throw
> an error if it appears in postgresql.conf.  Seems that would clear it up
> and make the feature much more usable.
> 
> Security is very easy to mess up.  That's why I think clarity is
> important.  If we are going to change the default socket permissions to
> 700, that clearly would be a good time to make the change, no?

Now that I look at postgresql.conf, I do see lots of connection-related
stuff:
	
	#
	#       Connection Parameters
	#
	#tcpip_socket = false
	#ssl = false
	
	#max_connections = 32
	
	#port = 5432 
	#hostname_lookup = false
	#show_source_port = false
	
	#unix_socket_directory = ''
	#unix_socket_group = ''
	#unix_socket_permissions = 0777
	
	#virtual_host = ''
	
	#krb_server_keyfile = ''

I guess my problem is that we will have 'trust' in pg_hba.conf, but then
override that in postgresql.conf by restricting permissions to one user.
That seems kind of strange.  We may have to change pg_hba.conf 'trust'
anyway to something like 'socketpermit', or remove the permission
setting in postgresql.conf and add the two new ones I suggested,
singleuser, and singlegroup.

-- 
  Bruce Momjian                        |  http://candle.pha.pa.us
  pgman@candle.pha.pa.us               |  (610) 853-3000
  +  If your life is a hard drive,     |  830 Blythe Avenue
  +  Christ can be your backup.        |  Drexel Hill, Pennsylvania 19026