Re: [GENERAL] Using both ident and password in pg_hba.conf

2016-05-14 Thread Peter J. Holzer
On 2016-05-09 16:18:39 -0400, D'Arcy J.M. Cain wrote: > On Mon, 9 May 2016 13:02:53 -0700 > Adrian Klaver wrote: > > So define PHP runs as 'nobody'? > > Because of the way PHP and Apache works PHP script have to run as the > Apache user which, in my case anyway, is

Re: [GENERAL] Using both ident and password in pg_hba.conf

2016-05-13 Thread D'Arcy J.M. Cain
On Tue, 10 May 2016 11:20:05 -0400 "D'Arcy J.M. Cain" wrote: > On Tue, 10 May 2016 10:46:39 -0400 > George Neuner wrote: > > On Linux (or Unix) you'd set up a forwarding record in iptables that > > redirects a second port to Postgresql. > > Forwarding to

Re: [GENERAL] Using both ident and password in pg_hba.conf

2016-05-11 Thread Bruno Wolff III
On Mon, May 09, 2016 at 22:43:53 -0400, "D'Arcy J.M. Cain" wrote: Of course PHP scripts have to run as nobody so I have no choice other than to have them store passwords in various config.php files but PHP users are used to that. I would like to fix that but that's a war for

Re: [GENERAL] Using both ident and password in pg_hba.conf

2016-05-10 Thread D'Arcy J.M. Cain
On Tue, 10 May 2016 10:46:39 -0400 George Neuner wrote: > On Linux (or Unix) you'd set up a forwarding record in iptables that > redirects a second port to Postgresql. Forwarding to a different host is bad enough without explaining different ports. I think my idea will do

Re: [GENERAL] Using both ident and password in pg_hba.conf

2016-05-10 Thread George Neuner
On Tue, 10 May 2016 09:50:10 -0400, "D'Arcy J.M. Cain" wrote: >On Mon, 09 May 2016 18:15:16 -0400 >Tom Lane wrote: >> > I did think of that but how do I define that in pg_hba? The host >> > field only specifies the remote IP, not the local one. >> >>

Re: [GENERAL] Using both ident and password in pg_hba.conf

2016-05-10 Thread D'Arcy J.M. Cain
On Tue, 10 May 2016 09:50:10 -0400 "D'Arcy J.M. Cain" wrote: > Can you expand on this? I can't seem to get my head around it. How > does the client make it look like it is coming from this ersatz > loopback IP? In fact, I don't even need to add this to pg_hba since > anything

Re: [GENERAL] Using both ident and password in pg_hba.conf

2016-05-10 Thread D'Arcy J.M. Cain
On Mon, 09 May 2016 18:15:16 -0400 Tom Lane wrote: > > I did think of that but how do I define that in pg_hba? The host > > field only specifies the remote IP, not the local one. > > Right, but you'd be using it essentially as a loopback interface. > Say you set it up as

Re: [GENERAL] Using both ident and password in pg_hba.conf

2016-05-09 Thread D'Arcy J.M. Cain
On Mon, 9 May 2016 14:56:14 -0700 John R Pierce wrote: > over a tcp socket, there's no way of knowing *WHAT* the system user > is short of querying the unreliable service 'authd' (113/tcp) and > hoping that it A) exists and B) returns something meaningful. > authd/ident

Re: [GENERAL] Using both ident and password in pg_hba.conf

2016-05-09 Thread D'Arcy J.M. Cain
On Mon, 9 May 2016 17:50:52 -0400 Scott Mead wrote: > > was thinking of something like this: > > > > hostall joe@nobody 192.168.151.75/32 password > > hostall all 192.168.151.75/32 ident > > > > The "all@nobody" field is meant to

Re: [GENERAL] Using both ident and password in pg_hba.conf

2016-05-09 Thread Tom Lane
"D'Arcy J.M. Cain" writes: > On Mon, 09 May 2016 17:12:22 -0400 > Tom Lane wrote: >> If the same user id + database combinations might be valid in both >> cases (from both PHP and manual connections) I think your only other >> option for distinguishing which

Re: [GENERAL] Using both ident and password in pg_hba.conf

2016-05-09 Thread John R Pierce
On 5/9/2016 2:42 PM, D'Arcy J.M. Cain wrote: I had an idea that that wouldn't be so easy else we would have had it by now. However, I am not sure that that is what is needed. I was thinking of something like this: hostall joe@nobody 192.168.151.75/32 password hostall

Re: [GENERAL] Using both ident and password in pg_hba.conf

2016-05-09 Thread Scott Mead
On Mon, May 9, 2016 at 5:42 PM, D'Arcy J.M. Cain wrote: > On Mon, 09 May 2016 17:12:22 -0400 > Tom Lane wrote: > > If the same user id + database combinations might be valid in both > > cases (from both PHP and manual connections) I think your only other > >

Re: [GENERAL] Using both ident and password in pg_hba.conf

2016-05-09 Thread D'Arcy J.M. Cain
On Mon, 09 May 2016 17:12:22 -0400 Tom Lane wrote: > If the same user id + database combinations might be valid in both > cases (from both PHP and manual connections) I think your only other > option for distinguishing which auth method to use is to make them > come in on

Re: [GENERAL] Using both ident and password in pg_hba.conf

2016-05-09 Thread Bruno Wolff III
On Mon, May 09, 2016 at 13:39:48 -0700, Adrian Klaver wrote: The above does not make sense to me. Maybe I am not understanding if you mean connect and login as the same thing or not? I could see connecting as 'nobody' and then doing SET ROLE as user. Or connect as

Re: [GENERAL] Using both ident and password in pg_hba.conf

2016-05-09 Thread Tom Lane
"D'Arcy J.M. Cain" writes: > Here's my situation. I have a mix of users. Some are running PHP > sites and some are not. PHP runs as the web server owner, "nobody." > Everyone else runs as their own user. > Since the PHP sites run as nobody I want to require password but

Re: [GENERAL] Using both ident and password in pg_hba.conf

2016-05-09 Thread Adrian Klaver
On 05/09/2016 01:18 PM, D'Arcy J.M. Cain wrote: On Mon, 9 May 2016 13:02:53 -0700 Adrian Klaver wrote: So define PHP runs as 'nobody'? Because of the way PHP and Apache works PHP script have to run as the Apache user which, in my case anyway, is "nobody" so every

Re: [GENERAL] Using both ident and password in pg_hba.conf

2016-05-09 Thread John R Pierce
On 5/9/2016 1:18 PM, D'Arcy J.M. Cain wrote: Basically I think that pg_hba.conf is missing a feature. We can specify the database, the user and the address but we can't specify the authenticated user. When it sees this; provided user name (x) and authenticated user name (nobody) do not match

Re: [GENERAL] Using both ident and password in pg_hba.conf

2016-05-09 Thread D'Arcy J.M. Cain
On Mon, 9 May 2016 13:02:53 -0700 Adrian Klaver wrote: > So define PHP runs as 'nobody'? Because of the way PHP and Apache works PHP script have to run as the Apache user which, in my case anyway, is "nobody" so every PHP script runs as nobody. Meanwhile non-PHP

Re: [GENERAL] Using both ident and password in pg_hba.conf

2016-05-09 Thread Adrian Klaver
On 05/09/2016 12:44 PM, D'Arcy J.M. Cain wrote: Here's my situation. I have a mix of users. Some are running PHP sites and some are not. PHP runs as the web server owner, "nobody." Everyone else runs as their own user. Since the PHP sites run as nobody I want to require password but accept

[GENERAL] Using both ident and password in pg_hba.conf

2016-05-09 Thread D'Arcy J.M. Cain
Here's my situation. I have a mix of users. Some are running PHP sites and some are not. PHP runs as the web server owner, "nobody." Everyone else runs as their own user. Since the PHP sites run as nobody I want to require password but accept ident (from the server I control) for the rest.