Re: DB Access Restrictions

Kris Deugau wrote:
> I'm finalizing the setup to be used to host customer DBs for a domain
> hosting service, and I'd like to make sure I've got the access controls
> straight:
>
> In pg_hba.conf, I've seen and managed to figure out *most* of how access
> to the various DBs can be controlled.  I'll be using the "password"

If your network is not secure, I recommend MD5.  In fact, we recommend
MD5 with encrypted_passwords enabled in postgresql.conf in almost all
cases.  Encrypted passwords will be the default in 7.3.

> authentication, most likely with either sameuser or all:
>   -> db of "sameuser" *REQUIRES* that the connecting user have the same
>      name as the database they're trying to connect to - for ANYONE
>      using this access method
>   -> db of "all" lets the access control slip down a level to whether a
>      user has provided the proper password.
>
> Is there any way to simply specify a list of users for each db?  I

In 7.3, due out in a few months, there is a USER column where you can
list users or specify a filename containing usernames.

> haven't been able to figure out if that's possible or not with
> "password" authentication.  (ident is useless;  all DB access except
> limited administrative control on my part will be via PHP across the
> local UNIX socket- and ident will return "apache" if it returns anything
> useful at all.)

In 7.2.X and earlier, the only way is to specify a secondary password
file, and list user names in there.  You don't actually need the
passwords in the file, just the usernames, but again, that only works
with 'password', I think.



--
  Bruce Momjian                        |  http://candle.pha.pa.us
  pgman@candle.pha.pa.us               |  (610) 359-1001
  +  If your life is a hard drive,     |  13 Roberts Road
  +  Christ can be your backup.        |  Newtown Square, Pennsylvania 19073