From owner-freebsd-questions@FreeBSD.ORG Fri Sep 12 17:35:27 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C7AC016A4BF for ; Fri, 12 Sep 2003 17:35:27 -0700 (PDT) Received: from kanga.honeypot.net (kanga.honeypot.net [208.162.254.122]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7790343F75 for ; Fri, 12 Sep 2003 17:35:25 -0700 (PDT) (envelope-from kirk@strauser.com) Received: from pooh.strauser.com (pooh.honeypot.net [10.0.5.128]) by kanga.honeypot.net (8.12.9/8.12.9) with ESMTP id h8D0ZL1T017961; Fri, 12 Sep 2003 19:35:22 -0500 (CDT) (envelope-from kirk@strauser.com) To: "Andrew L. Gould" References: <87r82lbu4y.fsf@strauser.com> <200309121639.14573.algould@datawok.com> <87fzj1bqp9.fsf@strauser.com> <200309121828.41900.algould@datawok.com> From: Kirk Strauser Date: Fri, 12 Sep 2003 19:35:17 -0500 In-Reply-To: <200309121828.41900.algould@datawok.com> (Andrew L. Gould's message of "Fri, 12 Sep 2003 18:28:41 -0500") Message-ID: <871xulbk56.fsf_-_@strauser.com> Lines: 32 X-Mailer: Gnus/5.1002 (Gnus v5.10.2) Emacs/21.3 (gnu/linux) MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha1; protocol="application/pgp-signature" cc: freebsd-questions@freebsd.org Subject: Solved! Trying to secure PostgreSQL X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 13 Sep 2003 00:35:27 -0000 --=-=-= Content-Transfer-Encoding: quoted-printable At 2003-09-12T23:28:41Z, "Andrew L. Gould" writes: > You might be interested in 'ident same' or some other combination of > options. That was exactly what I needed - thanks! My pg_hba.conf now looks like: local all pgsql ide= nt sameuser local all all ide= nt webusers host all all 127.0.0.1 255.255.255.255 md5 host all all 10.0.5.16 255.255.255.255 md5 This enforces password authing on the appropriate network interfaces. For local connections, user `pgsql' can connect as that username, but no other user can connect as `pgsql', and `pgsql' can't connect as any other other. Other users can connect locally if and only if they are defined in the `webusers' map in pg_ident.conf. That was the biggest part of my intended security overhaul. Now I want to prevent users from seeing databases that they're not authorized to access, but since they can't connect to them anyway, I'm not nearly as concerned about that. Thanks again to all who helped! =2D-=20 Kirk Strauser --=-=-= Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQA/YmZJ5sRg+Y0CpvERAqr3AJ4lpkw8Or+1TF2gc5sARPCZNuP5XACfSsWC ZYyZp8n91X1mJqBSxOUl1/I= =gQzQ -----END PGP SIGNATURE----- --=-=-=--