Re: Additional role attributes && superuser review
| От | Bruce Momjian |
|---|---|
| Тема | Re: Additional role attributes && superuser review |
| Дата | |
| Msg-id | 20160117185549.GE16401@momjian.us обсуждение исходный текст |
| Ответ на | Re: Additional role attributes && superuser review (Stephen Frost <sfrost@snowman.net>) |
| Ответы |
Re: Additional role attributes && superuser review
|
| Список | pgsql-hackers |
On Sun, Jan 17, 2016 at 01:49:19PM -0500, Stephen Frost wrote: > * Bruce Momjian (bruce@momjian.us) wrote: > > > pgbackrest: > > > > > > To run pgbackrest as a non-superuser and not the 'postgres' system > > > user, grant the pg_backup role to the backrest user and ensure the > > > backrest system user has read access to the database files (eg: by > > > having the system user be a member of the 'postgres' group): > > ------ > > > > Just to clarify, the 'postgres' OS user group cannot read the data > > directory, e.g. > > > > drwx------ 19 postgres staff 4096 Jan 17 12:19 data/ > > ^^^group > > > > I assume we don't want to change that. > > This is going to be distribution dependent, unfortunately. On > Debian-based distributions, the group is 'postgres' and it'd be > perfectly reasonable to allow that group to read the data directory. Well, while the group name would be OS-dependent, the lack of any group permisions in not OS-dependent and is forced by initdb: umask(S_IRWXG | S_IRWXO); create_data_directory(); > I don't recall offhand if that means we'd have to make changes to allow > that, but, for my 2c, I don't see why we wouldn't allow it to be an > option. OK, that would be an initdb change then. -- Bruce Momjian <bruce@momjian.us> http://momjian.us EnterpriseDB http://enterprisedb.com + As you are, so once was I. As I am, so you will be. + + Roman grave inscription +
В списке pgsql-hackers по дате отправления: