On Wed, 31 Jul 2002, Bruce Momjian wrote: > Marc G. Fournier wrote: > > On Wed, 31 Jul 2002, Bruce Momjian wrote: > > > > > Marc G. Fournier wrote: > > > > On Wed, 31 Jul 2002, Bruce Momjian wrote: > > > > > > > > > Ron Snyder wrote: > > > > > > > > > > > > > > Yes, is that your pg_hba.conf line? 'password' is insecure over > > > > > > > networks you don't trust. > > > > > > > > > > > > Yes, we're using 'password password' in our pg_hba.conf file. I trust my > > > > > > network (so far). > > > > > > > > > > That is another major limitation to secondary password files. In fact, > > > > > md5 will not even work because we assume the username is used as the > > > > > salt for the md5 encryption. We don't store the salt as part of the > > > > > encrypted password like crypt does. > > > > > > > > > > This was another reason secondary password files were discouraged. > > > > > > > > discouraged?? where? :) > > > > > > Well. I meant that they had very limited usefulness. You had to trust > > > your network. > > > > that is the case for alot of software, and alot of networks nowadays are > > moving towards encrypted at the switch level, so the local network itself > > is considered to be 'secure' ... > > > > But, personally, you sooooooo sold me on that GUC thing that if we could > > implement that in time for v7.3, I think alot of ppl would find that > > *quite* valuable ... > > > > I am working on it now. I decided against doing any kind of database > prepending at the user level. You create the user as 'dbname.username'. > That is clearer, rather than prepending based on the db you are > connected to. The only code change is in the postmaster authentication > lookup and ownership setting from the backend connection.
Okay, just a couple of questions ... if there any way of provide 'superuse' access a user of the database for creating new users? Say one creates a dbname.pgsql account, could it be given 'create user' privileges for other users with a prefix of dbname.*? and, what happens if one doesn't specify dbname.*? does that user become 'global', or have access to nothing? ---------------------------(end of broadcast)--------------------------- TIP 3: if posting/reading through Usenet, please send an appropriate subscribe-nomail command to [EMAIL PROTECTED] so that your message can get through to the mailing list cleanly
