Re: authentication/privileges

"Sebastian P. Luque" <spluque@gmail.com> writes:
> With peer authentication, one can only login as postgres from a local
> connection.  I'm not sure what password the postgres user was set up in
> the OS, however, I assigned one to it (the same as for the PostgreSQL
> user).  I've read somewhere that the postgres OS user should be left
> locked without password, although it's not clear what was meant by
> "locked".

It's fairly common for distro-supplied packages to create a postgres
OS user but not assign it any password.  In that state, the only way to
become postgres is to "su" to it from root, or perhaps from a sudoer
account with root-equivalent privileges.  While that might be okay
for machines with just one person administering everything, I can't
say that I think it's recommendable practice in general: you don't
want to have to give somebody root to let them admin the database.
Better to give the postgres user a password.

            regards, tom lane