From owner-freebsd-questions@FreeBSD.ORG  Fri Sep 12 16:28:57 2003
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id D874616A4BF
	for <freebsd-questions@freebsd.org>;
	Fri, 12 Sep 2003 16:28:57 -0700 (PDT)
Received: from firecrest.mail.pas.earthlink.net
	(firecrest.mail.pas.earthlink.net [207.217.121.247])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 451C343F85
	for <freebsd-questions@freebsd.org>;
	Fri, 12 Sep 2003 16:28:57 -0700 (PDT)
	(envelope-from algould@datawok.com)
Received: from 22-15.lctv-b4.cablelynx.com ([24.204.22.15]
	helo=yoda.datawok.com)
	by firecrest.mail.pas.earthlink.net with asmtp (TLSv1:RC4-MD5:128)
	(Exim 3.33 #1)	id 19xxKv-000314-00; Fri, 12 Sep 2003 16:28:21 -0700
From: "Andrew L. Gould" <algould@datawok.com>
To: Kirk Strauser <kirk@strauser.com>
Date: Fri, 12 Sep 2003 18:28:41 -0500
User-Agent: KMail/1.5
References: <87r82lbu4y.fsf@strauser.com>
	<200309121639.14573.algould@datawok.com> <87fzj1bqp9.fsf@strauser.com>
In-Reply-To: <87fzj1bqp9.fsf@strauser.com>
MIME-Version: 1.0
Content-Type: text/plain;
  charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Message-Id: <200309121828.41900.algould@datawok.com>
X-ELNK-Trace: ee791d459e3d6817d780f4a490ca69564776905774d2ac4b2ed329c0218ae2c117362f58c5956698350badd9bab72f9c350badd9bab72f9c350badd9bab72f9c
cc: freebsd-questions@freebsd.org
Subject: Re: Trying to secure PostgreSQL
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Sep 2003 23:28:58 -0000

On Friday 12 September 2003 05:13 pm, Kirk Strauser wrote:
> At 2003-09-12T21:39:14Z, "Andrew L. Gould" <algould@datawok.com> writes:
> > You're looking for something difficult when the easier answer is correct.
> >
> > As root, set pgsql's password by executing:
> >
> > passwd pgsql
>
> What would that buy me?  After doing that, I can still access any database
> on the system with:
>
>     kirk@kanga:~$ psql -U pgsql template1
>     Welcome to psql 7.3.4, the PostgreSQL interactive terminal.
>
> without being prompted for a password.  I don't want users, even local
> users, to have full run of the database as the user of their choice.

In your situation, I would give pgsql a password, regardless.  Then read the 
documentation that comes in pg_hba.conf and at:

http://www.postgresql.org/docs/7.3/static/client-authentication.html#AUTH-PG-HBA-CONF

You might be interested in 'ident same' or some other combination of options.

Andrew Gould