[Dbconfig-common-devel] Re: postgresql server and .pgpass

Fri May 12 15:49:15 UTC 2006

Hi Sean,

sean finney [2006-05-12  3:18 -0400]:
> (putting dbconfig-common-devel back into the cc for posterity, hope you
> don't mind)

Of course not.

> > That's the part I don't understand so far: why would you create a new
> > db user with a password and then store that password unencrypted on
> > the hard disk in a .pgpass file? If you do want to authenticate users
> > with a password, they should enter it themselves. If they are supposed
> > to connect without a password, then please use ident authentication.
> 
> this method is only used during the setup/upgrade/purge phases, and
> the file is only stored on the system in a temporary directory long
> enough to execute the command.  i believe this is the safest way
> to provide the authentication information because any other method
> would involve using cmdline flags or enviornment variables that others
> could see.

Still, I do not believe in writing passwords to the disk. :/

I see two alternatives which seem much less hackish to me:

 * Connect to the database as db superuser (usually 'postgres'); this
   can connect to the database without any password ('ident
   sameuser'). Then, if you want to do stuff as the user, execute a
   "SET SESSION AUTHORIZATION 'user'" command.

 * Start the postmaster with a temporary pg_hba.conf which only allows
   local 'ident sameuser' access for the db superuser and the 'normal'
   user. With 7.4, you have to temporarily replace
   /etc/postgresql/7.4/<cluster>/pg_hba.conf, with 8.1 you can specify
   an alternative pg_hba.conf location with something like

     pg_ctlcluster -o '-c hba_file=/tmp/dbconfig.hba' 8.1 main start

   (I did not test this; pg_ctlcluster already uses this parameter to
    specify the normal pg_hba.conf file, I think the -o argument will
    override it; if that breaks, please bug me and I'll fix it).

What do you think?

> okay.  i don't really so much care *how* it's done, but i need some
> way of specifying an alternate .pgpass, or some other way of supplying
> the credentials automatically.

It seems this is already solved in the other mail.

Thanks,

Martin

-- 
Martin Pitt        http://www.piware.de
Ubuntu Developer   http://www.ubuntu.com
Debian Developer   http://www.debian.org

In a world without walls and fences, who needs Windows and Gates?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 191 bytes
Desc: Digital signature
Url : http://lists.alioth.debian.org/pipermail/dbconfig-common-devel/attachments/20060512/9efa6a49/attachment.pgp