Hi,
docs say (19.2.1):
When trust authentication is specified, PostgreSQL assumes that anyone who
can connect to the server is authorized to access the database as whatever
database user he specifies (including the database superuser). This method
should only be used when there is adequate operating system-level
protection on connections to the server.
but nowadays one can specify users in pg_hba.conf, and 19.1 says:
user
Specifies which PostgreSQL users this record matches. The value all
specifies that it matches all users. Otherwise, this is the name of a
specific PostgreSQL user. Multiple user names can be supplied by
separating them with commas. Group names can be specified by preceding
the group name with +. A file containing user names can be specified by
preceding the file name with @. The file must be in the same directory
as pg_hba.conf.
Which of these is right? I hope the last also holds for 'trust' lines?
(and yes, i know you don't want to use this :-))
Regards,
--
Henk van Lingen, Systems & Network Administrator (o- -+
Dept. of Computer Science, Utrecht University. /\ |
phone: +31-30-2535278 v_/_ http://henk.vanlingen.net/ http://www.tuxtown.net/netiquette/
---------------------------(end of broadcast)---------------------------
TIP 1: subscribe and unsubscribe commands go to ma*******@postgresql.org 10  1757 
On Thu, Jan 22, 2004 at 03:33:05PM +0100, Henk van Lingen wrote:
but nowadays one can specify users in pg_hba.conf, and 19.1 says:
one other thing about this:
the pg_hba.conf shipped with 7.4.1 PGDG RPMs for RHEL 3 has:
# CAUTION: The default configuration allows any local user to connect
# using any PostgreSQL user name, including the superuser, over either
# Unix-domain sockets or TCP/IP. If you are on a multiple-user
# machine, the default configuration is probably too liberal for you.
# Change it to use something other than "trust" authentication.
but the only active line is:
local all all ident sameuser
which seems not quit what was said above, to me.
Regards,
--
Henk van Lingen, Systems & Network Administrator (o- -+
Dept. of Computer Science, Utrecht University. /\ |
phone: +31-30-2535278 v_/_ http://henk.vanlingen.net/ http://www.tuxtown.net/netiquette/
---------------------------(end of broadcast)---------------------------
TIP 9: the planner will ignore your desire to choose an index scan if your
joining column's datatypes do not match
Henk van Lingen <he****@cs.uu.nl> writes: the pg_hba.conf shipped with 7.4.1 PGDG RPMs for RHEL 3 has:
# CAUTION: The default configuration allows any local user to connect
# using any PostgreSQL user name, including the superuser, over either
# Unix-domain sockets or TCP/IP. If you are on a multiple-user
# machine, the default configuration is probably too liberal for you.
# Change it to use something other than "trust" authentication.
Which is correct for a stock built-from-source installation.
but the only active line is:
local all all ident sameuser
which seems not quit what was said above, to me.
The RPM distribution changes the default authentication setup. Seems
like that patch ought to adjust the comments too ... Lamar?
regards, tom lane
---------------------------(end of broadcast)---------------------------
TIP 7: don't forget to increase your free space map settings
On Thu, Jan 22, 2004 at 15:33:05 +0100,
Henk van Lingen <he****@cs.uu.nl> wrote: Hi,
docs say (19.2.1):
When trust authentication is specified, PostgreSQL assumes that anyone who
can connect to the server is authorized to access the database as whatever
database user he specifies (including the database superuser). This method
should only be used when there is adequate operating system-level
protection on connections to the server.
but nowadays one can specify users in pg_hba.conf, and 19.1 says:
user
Specifies which PostgreSQL users this record matches. The value all
specifies that it matches all users. Otherwise, this is the name of a
specific PostgreSQL user. Multiple user names can be supplied by
separating them with commas. Group names can be specified by preceding
the group name with +. A file containing user names can be specified by
preceding the file name with @. The file must be in the same directory
as pg_hba.conf.
Which of these is right? I hope the last also holds for 'trust' lines?
Both. The second part says that in pg_hba.conf you can say which postgres
users can connect to which databases. The first part says that trust
authentication says that postgres will allow you to be whatever user you
want without having to prove it in any way.
---------------------------(end of broadcast)---------------------------
TIP 1: subscribe and unsubscribe commands go to ma*******@postgresql.org
On Thu, Jan 22, 2004 at 11:00:25AM -0600, Bruno Wolff III wrote: docs say (19.2.1):
When trust authentication is specified, PostgreSQL assumes that anyone who
can connect to the server is authorized to access the database as whatever
database user he specifies (including the database superuser). This method
Which of these is right? I hope the last also holds for 'trust' lines?
Both. The second part says that in pg_hba.conf you can say which postgres
users can connect to which databases. The first part says that trust
authentication says that postgres will allow you to be whatever user you
want without having to prove it in any way.
Well, i think the first part is misleading. Trying it it seems to work
as i hoped. If i have a line like
host somedb bruno 192.168.5.5 255.255.255.255 trust
bruno can connect from 192.168.5.5 but tom can't.
I think the first part should say 'as the users specified in the specific
pg_hba.conf line without doing further checks'.
Never mind.
Regards,
--
Henk van Lingen, Systems & Network Administrator (o- -+
Dept. of Computer Science, Utrecht University. /\ |
phone: +31-30-2535278 v_/_ http://henk.vanlingen.net/ http://www.tuxtown.net/netiquette/
---------------------------(end of broadcast)---------------------------
TIP 5: Have you checked our extensive FAQ? http://www.postgresql.org/docs/faqs/FAQ.html
On Thu, Jan 22, 2004 at 18:11:36 +0100,
Henk van Lingen <he****@cs.uu.nl> wrote:
host somedb bruno 192.168.5.5 255.255.255.255 trust
bruno can connect from 192.168.5.5 but tom can't.
It isn't clear whether you are referring to postgres or OS users above.
The OS user tom can connect as the postgres user bruno from 192.168.5.5.
---------------------------(end of broadcast)---------------------------
TIP 9: the planner will ignore your desire to choose an index scan if your
joining column's datatypes do not match
On Thu, Jan 22, 2004 at 11:56:10AM -0600, Bruno Wolff III wrote:
host somedb bruno 192.168.5.5 255.255.255.255 trust
bruno can connect from 192.168.5.5 but tom can't.
It isn't clear whether you are referring to postgres or OS users above.
The OS user tom can connect as the postgres user bruno from 192.168.5.5.
Of course, I was referring to postgres users. I think the doc can be
clearer. If you disagree, never mind :-)
Regards,
--
Henk van Lingen, Systems & Network Administrator (o- -+
Dept. of Computer Science, Utrecht University. /\ |
phone: +31-30-2535278 v_/_ http://henk.vanlingen.net/ http://www.tuxtown.net/netiquette/
---------------------------(end of broadcast)---------------------------
TIP 9: the planner will ignore your desire to choose an index scan if your
joining column's datatypes do not match
I know I can write plpgsql functions that return sets.
Does postgres support returning multiple sets from a function?
Bill McMilleon
---------------------------(end of broadcast)---------------------------
TIP 3: if posting/reading through Usenet, please send an appropriate
subscribe-nomail command to ma*******@postgresql.org so that your
message can get through to the mailing list cleanly bi*******************@mcmilleon.com wrote: I know I can write plpgsql functions that return sets.
Does postgres support returning multiple sets from a function?
No.
Joe
---------------------------(end of broadcast)---------------------------
TIP 3: if posting/reading through Usenet, please send an appropriate
subscribe-nomail command to ma*******@postgresql.org so that your
message can get through to the mailing list cleanly
<bi*******************@mcmilleon.com> writes: Does postgres support returning multiple sets from a function?
Not directly. You can fake it in some cases by returning several open
cursors and expecting the caller to fetch from those cursors. However,
if you can't write SQL queries that can be executed to return each of
the needed return sets, you're out of luck --- there's nothing so
flexible as RETURN NEXT.
I don't think this is an unfixable limitation; the needed mechanisms
all exist, it's a matter of figuring out what a reasonable syntactic
representation would look like. Any thoughts?
regards, tom lane
---------------------------(end of broadcast)---------------------------
TIP 2: you can get off all lists at once with the unregister command
(send "unregister YourEmailAddressHere" to ma*******@postgresql.org)
Bruno Wolff III wrote: On Thu, Jan 22, 2004 at 15:33:05 +0100,
Henk van Lingen <he****@cs.uu.nl> wrote: Hi,
docs say (19.2.1):
When trust authentication is specified, PostgreSQL assumes that anyone who
can connect to the server is authorized to access the database as whatever
database user he specifies (including the database superuser). This method
should only be used when there is adequate operating system-level
protection on connections to the server.
but nowadays one can specify users in pg_hba.conf, and 19.1 says:
user
Specifies which PostgreSQL users this record matches. The value all
specifies that it matches all users. Otherwise, this is the name of a
specific PostgreSQL user. Multiple user names can be supplied by
separating them with commas. Group names can be specified by preceding
the group name with +. A file containing user names can be specified by
preceding the file name with @. The file must be in the same directory
as pg_hba.conf.
Which of these is right? I hope the last also holds for 'trust' lines?
Both. The second part says that in pg_hba.conf you can say which postgres
users can connect to which databases. The first part says that trust
authentication says that postgres will allow you to be whatever user you
want without having to prove it in any way.
This patch clarifies that the user column still applies for 'trust'.
--
Bruce Momjian | http://candle.pha.pa.us pg***@candle.pha.pa.us | (610) 359-1001
+ If your life is a hard drive, | 13 Roberts Road
+ Christ can be your backup. | Newtown Square, Pennsylvania 19073
Index: doc/src/sgml/client-auth.sgml
================================================== =================
RCS file: /cvsroot/pgsql-server/doc/src/sgml/client-auth.sgml,v
retrieving revision 1.62
diff -c -c -r1.62 client-auth.sgml
*** doc/src/sgml/client-auth.sgml 13 Dec 2003 23:59:06 -0000 1.62
--- doc/src/sgml/client-auth.sgml 26 Jan 2004 05:33:29 -0000
***************
*** 535,542 ****
<para>
When <literal>trust</> authentication is specified,
<productname>PostgreSQL</productname> assumes that anyone who can
! connect to the server is authorized to access the database as
! whatever database user he specifies (including the database superuser).
This method should only be used when there is adequate operating system-level
protection on connections to the server.
</para>
--- 535,543 ----
<para>
When <literal>trust</> authentication is specified,
<productname>PostgreSQL</productname> assumes that anyone who can
! connect to the server is authorized to access the database with
! whatever database user they specify (including the database superuser).
! Of course, restrictions placed in the <literal>user</> column still apply.
This method should only be used when there is adequate operating system-level
protection on connections to the server.
</para>
---------------------------(end of broadcast)---------------------------
TIP 5: Have you checked our extensive FAQ? http://www.postgresql.org/docs/faqs/FAQ.html This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics
by: Steven Stern |
last post by:
I'm looking for a way to force basic http autentication from within a PHP
script.
Here's the situation:
I have an exisiting system that first authenticates people via the aMemberPro
package....
|
by: jsWalter |
last post by:
I have an extension Class to Auth and I'm looking for some folks to hammer
on it a bit and give feed back.
Class: AuthUser
- add user (well, Auth does that now, so its gone)
- remove user...
|
by: Mark Carter |
last post by:
I'm trying to create a mail server in Twisted.
I either get
SMTPSenderRefused
or
SMTPException: SMTP AUTH extension not supported by server.
What do I need to do to get it to work?
|
by: David Geller |
last post by:
Hi,
I had been using smptlib to send email via my covad relay previously (several months ago), and it worked fine. Covad requires authentication, and this was accomplished fine with...
|
by: Ciaran McAuliffe |
last post by:
Hey,
I have a bit of a tricky problem, here is a quick overview. I have a
website which connects to a webservice, this web service is a front for
access to the Reporting Services Web Service, the...
|
by: 23s |
last post by:
I had this problem in the past, after a server reformat it went away, and
now after another server reformat it's back again - no clue what's doing it.
Here's the flow:
Website root is public, no...
|
by: kevin bailey |
last post by:
I have a framework working where I have multiple pages each checking the
authentication status.
Unauthorised users are redirected to a login page - otherwise the requested
page is shown.
...
|
by: kevin bailey |
last post by:
I have used the PEAR Auth package to successfully set up authentication.
<code>
// Details of where the authentication details are stored.
$options = array(
'dsn'...
|
by: hakan |
last post by:
I've started playing with the Auth module, and I have a quick question
before I go any deeper. Is it possible to embedd the Auth login form
in an HTML page? I would like to put a login form in a...
|
by: Charles Arthur |
last post by:
How do i turn on java script on a villaon, callus and itel keypad mobile phone
|
by: ryjfgjl |
last post by:
If we have dozens or hundreds of excel to import into the database, if we use the excel import function provided by database editors such as navicat, it will be extremely tedious and time-consuming...
|
by: emmanuelkatto |
last post by:
Hi All, I am Emmanuel katto from Uganda. I want to ask what challenges you've faced while migrating a website to cloud.
Please let me know.
Thanks!
Emmanuel
|
by: BarryA |
last post by:
What are the essential steps and strategies outlined in the Data Structures and Algorithms (DSA) roadmap for aspiring data scientists? How can individuals effectively utilize this roadmap to progress...
|
by: nemocccc |
last post by:
hello, everyone, I want to develop a software for my android phone for daily needs, any suggestions?
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However,...
|
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers,...
|
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven...
|
by: tracyyun |
last post by:
Dear forum friends,
With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each...
| |
