Re: server authentication over Unix-domain sockets
Magnus Hagander <magnus@hagander.net>
From: Magnus Hagander <magnus@hagander.net>
To: Stephen Frost <sfrost@snowman.net>
Cc: Peter Eisentraut <peter_e@gmx.net>, pgsql-hackers <pgsql-hackers@postgresql.org>
Date: 2010-06-11T12:08:59Z
Lists: pgsql-hackers
On Fri, Jun 11, 2010 at 14:07, Stephen Frost <sfrost@snowman.net> wrote: > * Peter Eisentraut (peter_e@gmx.net) wrote: >> The patch needs some portability work and possible refactoring because >> of that, but before I embark on that, comments on the concept? > > I definitely like the idea but I dislike requiring the user to do > something to implement it. Thinking about how packagers might want to > use it, could we make it possible to build it defaulted to a specific > value (eg: 'postgres' on Debian) and allow users a way to override > and/or unset it? Well, even if we don't put that in, the packager could export a global PGREQUIREPEER environment variable. > Having the option wouldn't do much unless users know of it and use it > and it strikes that will very often not be the case. > > I'm impartial towards whatever PG wants to do with the default, just so > long as packagers can override it and set it to something specific. > Also, to that end, it's got to be name-based. Exim in Debian did > something similar and actually tried to force a particular UID.. that > was horrid. :) On Debian, at least, the user is almost always > 'postgres', but the UID will vary depending on exactly when the packages > were installed (before or after other system-user-creating packages). Oh yes, absolutely name-based. -- Magnus Hagander Me: http://www.hagander.net/ Work: http://www.redpill-linpro.com/