[Dbconfig-common-devel] Re: postgresql server and .pgpass
sean finney
seanius at debian.org
Fri May 12 17:04:21 UTC 2006
On Fri, May 12, 2006 at 05:49:15PM +0200, Martin Pitt wrote:
> > enough to execute the command. i believe this is the safest way
> > to provide the authentication information because any other method
> > would involve using cmdline flags or enviornment variables that others
> > could see.
>
> Still, I do not believe in writing passwords to the disk. :/
well, you should keep in mind that the password is probably already
existing somewhere else on disk, like the configuration file for the
web application :)
> I see two alternatives which seem much less hackish to me:
>
> * Connect to the database as db superuser (usually 'postgres'); this
> can connect to the database without any password ('ident
> sameuser'). Then, if you want to do stuff as the user, execute a
> "SET SESSION AUTHORIZATION 'user'" command.
oh, this is a neat trick. i'll make a note of it.
> * Start the postmaster with a temporary pg_hba.conf which only allows
> local 'ident sameuser' access for the db superuser and the 'normal'
> user. With 7.4, you have to temporarily replace
> /etc/postgresql/7.4/<cluster>/pg_hba.conf, with 8.1 you can specify
> an alternative pg_hba.conf location with something like
>
> pg_ctlcluster -o '-c hba_file=/tmp/dbconfig.hba' 8.1 main start
i find it amusing that you would suggest stopping a database server,
and temporarily replacing its config files as "much less hackish" :)
sean
--
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.alioth.debian.org/pipermail/dbconfig-common-devel/attachments/20060512/6673efd6/attachment.pgp
More information about the Dbconfig-common-devel
mailing list