[Dbconfig-common-devel] Re: postgresql server and .pgpass
Martin Pitt
mpitt at debian.org
Fri May 12 15:49:15 UTC 2006
Hi Sean,
sean finney [2006-05-12 3:18 -0400]:
> (putting dbconfig-common-devel back into the cc for posterity, hope you
> don't mind)
Of course not.
> > That's the part I don't understand so far: why would you create a new
> > db user with a password and then store that password unencrypted on
> > the hard disk in a .pgpass file? If you do want to authenticate users
> > with a password, they should enter it themselves. If they are supposed
> > to connect without a password, then please use ident authentication.
>
> this method is only used during the setup/upgrade/purge phases, and
> the file is only stored on the system in a temporary directory long
> enough to execute the command. i believe this is the safest way
> to provide the authentication information because any other method
> would involve using cmdline flags or enviornment variables that others
> could see.
Still, I do not believe in writing passwords to the disk. :/
I see two alternatives which seem much less hackish to me:
* Connect to the database as db superuser (usually 'postgres'); this
can connect to the database without any password ('ident
sameuser'). Then, if you want to do stuff as the user, execute a
"SET SESSION AUTHORIZATION 'user'" command.
* Start the postmaster with a temporary pg_hba.conf which only allows
local 'ident sameuser' access for the db superuser and the 'normal'
user. With 7.4, you have to temporarily replace
/etc/postgresql/7.4/<cluster>/pg_hba.conf, with 8.1 you can specify
an alternative pg_hba.conf location with something like
pg_ctlcluster -o '-c hba_file=/tmp/dbconfig.hba' 8.1 main start
(I did not test this; pg_ctlcluster already uses this parameter to
specify the normal pg_hba.conf file, I think the -o argument will
override it; if that breaks, please bug me and I'll fix it).
What do you think?
> okay. i don't really so much care *how* it's done, but i need some
> way of specifying an alternate .pgpass, or some other way of supplying
> the credentials automatically.
It seems this is already solved in the other mail.
Thanks,
Martin
--
Martin Pitt http://www.piware.de
Ubuntu Developer http://www.ubuntu.com
Debian Developer http://www.debian.org
In a world without walls and fences, who needs Windows and Gates?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 191 bytes
Desc: Digital signature
Url : http://lists.alioth.debian.org/pipermail/dbconfig-common-devel/attachments/20060512/9efa6a49/attachment.pgp
More information about the Dbconfig-common-devel
mailing list