Date: Fri, 12 Sep 2003 19:35:17 -0500 From: Kirk Strauser <kirk@strauser.com> To: "Andrew L. Gould" <algould@datawok.com> Cc: freebsd-questions@freebsd.org Subject: Solved! Trying to secure PostgreSQL Message-ID: <871xulbk56.fsf_-_@strauser.com> In-Reply-To: <200309121828.41900.algould@datawok.com> (Andrew L. Gould's message of "Fri, 12 Sep 2003 18:28:41 -0500") References: <87r82lbu4y.fsf@strauser.com> <200309121639.14573.algould@datawok.com> <87fzj1bqp9.fsf@strauser.com> <200309121828.41900.algould@datawok.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--=-=-=
Content-Transfer-Encoding: quoted-printable
At 2003-09-12T23:28:41Z, "Andrew L. Gould" <algould@datawok.com> writes:
> You might be interested in 'ident same' or some other combination of
> options.
That was exactly what I needed - thanks!
My pg_hba.conf now looks like:
local all pgsql ide=
nt sameuser
local all all ide=
nt webusers
host all all 127.0.0.1 255.255.255.255 md5
host all all 10.0.5.16 255.255.255.255 md5
This enforces password authing on the appropriate network interfaces.
For local connections, user `pgsql' can connect as that username, but no
other user can connect as `pgsql', and `pgsql' can't connect as any other
other.
Other users can connect locally if and only if they are defined in the
`webusers' map in pg_ident.conf.
That was the biggest part of my intended security overhaul. Now I want to
prevent users from seeing databases that they're not authorized to access,
but since they can't connect to them anyway, I'm not nearly as concerned
about that.
Thanks again to all who helped!
=2D-=20
Kirk Strauser
--=-=-=
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
iD8DBQA/YmZJ5sRg+Y0CpvERAqr3AJ4lpkw8Or+1TF2gc5sARPCZNuP5XACfSsWC
ZYyZp8n91X1mJqBSxOUl1/I=
=gQzQ
-----END PGP SIGNATURE-----
--=-=-=--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?871xulbk56.fsf_-_>