Re: Authenticating user `postgres'
| От | Arcady Genkin |
|---|---|
| Тема | Re: Authenticating user `postgres' |
| Дата | |
| Msg-id | r1zlmizuljy.fsf@bashful.cdf.toronto.edu обсуждение исходный текст |
| Ответ на | Re: Authenticating user `postgres' (Tom Lane <tgl@sss.pgh.pa.us>) |
| Список | pgsql-general |
Tom Lane <tgl@sss.pgh.pa.us> writes: > Arcady Genkin <a.genkin@utoronto.ca> writes: > > Tom Lane <tgl@sss.pgh.pa.us> writes: > >> Offhand I'd think it foolish to make it easier to get into the > >> superuser account than regular accounts anyway. > > > Not so much if the database only listens on unix domain socket, which > > has tight permissions, and a UNIX user has to identify himself with a > > valid password anyways. > > So? If you can trust local connections from the user who is superuser > to be correctly authenticated, then you can also trust local connections > from the users who are non-superusers. I really completely fail to see > the point of requiring a password to connect to non-critical accounts > while having no password (*LESS* security) for the critical superuser > account. Suppose that one of the non-superusers accounts is user `apache'. There is a higher chance that this user account is compromised, than the `postgres' account. I can see your point, though. -- Arcady Genkin
В списке pgsql-general по дате отправления: