On Mon, 2004-10-18 at 03:23, sean finney wrote: ... > > Even if the server is on the local machine, I am opposed to having any > > application package alter the database access policies. This is OK for > > what exactly do you mean by altering access policies? granting > privileges to a new user?
As the postgresql package is delivered, it will only accept connections where the database user name is the same as the system user name. So, when I am logged in as 'olly', I can only connect to PostgreSQL as the database user 'olly'. This means that web-based datbase applications cannot work, because the connection is done by the system user 'www-data', but the user wants to run it as the database user 'olly'; that connection will be rejected. In order to get a connection under those circumstances, the authentication set-up for the database in question needs to be changed to 'md5' (MD5-encrypted passwords). This is done by altering /etc/postgresql/pg_hba.conf. ... > for the admin password, i agree. for the app_user password, i think > most apps are storing this password in a cleartext file for the > application to use (php web apps, for example). that's my opinion, > anyways. That may differ per application. I would argue that it is very bad security in all circumstances. -- Oliver Elphick olly@lfix.co.uk Isle of Wight http://www.lfix.co.uk/oliver GPG: 1024D/A54310EA 92C8 39E7 280E 3631 3F0E 1EC0 5664 7A2F A543 10EA ======================================== "Delight thyself also in the LORD; and he shall give thee the desires of thine heart." Psalms 37:4
