[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Gnumed-devel] Re: Changes in "pg_hba.conf" between postgresql versions

From: Andreas Tille
Subject: [Gnumed-devel] Re: Changes in "pg_hba.conf" between postgresql versions 7.3.2 & 7.2.2
Date: Wed, 18 Jun 2003 11:13:36 +0200 (CEST)

On Tue, 17 Jun 2003, Michael Bonert wrote:

> Here they are side-by-side:
> -----
> Postgresql 7.3.2 (Mandrake 9.1)
> local   all         all                                             trust
> host    all         all   trust
> -----
> Postgresql 7.2.2 (Mandrake 9.0)
> local   all                                             trust
> host    all   trust
While I have no doubt that this works I decided to open not all rights when
I builded the GnuMed Debian packages.

At first I exclusively use sockets for the connection.  This would leave just
the lines containing 'local' in the beginning.  The lines started with 'host'
can be removed.

Moreover I think allowing authentification TRUST for *all* databases is more
than we want and the number of users can also be reduced.  The databases we
connect to are at first template1.  This is done by the password method and
this leads to the line

local        template1      @gmTemplate1User.list                  password

(for PostgreSQL 7.3.* !! - no tests for 7.2 so far)
The syntax starting with @ for the user means that the users which are allowed
to connect are stored in a file  $PGDATA/gmTemplate1User.list and thus I
have a file

     ~# cat /var/lib/postgres/data/gmTemplate1User.list

on my box.  Once the gnumed-test database is created the user gm-dbowner has
to connect also to this database.  After some discussion with Karsten Hilbert
we found no better way than to use TRUST here.  This leads to the line

local        gnumed-test    @gmTemplate1User.list                  trust

which enables all users listed in /var/lib/postgres/data/gmTemplate1User.list
to access database gnumed-test from localhost.

In my opinion these settings are the most restrictive settings to get the
database bootstrapped.

If local users want to *access* the database we need a further line for

local   gnumed-test  @gmGnumedUser.list                     password

     ~# cat /var/lib/postgres/data/gmGnumedUser.list

so all users who want to *run* GnuMed on localhost have to be listed in this
file to enable password authentication to gnumed-test for them.  The settings
above are quite insecure in my opinion and so I would like you to try this.

Kind regards


reply via email to

[Prev in Thread] Current Thread [Next in Thread]