At 2003-09-12T23:28:41Z, "Andrew L. Gould" <[EMAIL PROTECTED]> writes:

> You might be interested in 'ident same' or some other combination of
> options.

That was exactly what I needed - thanks!

My pg_hba.conf now looks like:

    local   all         pgsql                                           ident    
    local   all         all                                             ident    
    host    all         all   md5
    host    all         all   md5

This enforces password authing on the appropriate network interfaces.

For local connections, user `pgsql' can connect as that username, but no
other user can connect as `pgsql', and `pgsql' can't connect as any other

Other users can connect locally if and only if they are defined in the
`webusers' map in pg_ident.conf.

That was the biggest part of my intended security overhaul.  Now I want to
prevent users from seeing databases that they're not authorized to access,
but since they can't connect to them anyway, I'm not nearly as concerned
about that.

Thanks again to all who helped!
Kirk Strauser

Attachment: pgp00000.pgp
Description: PGP signature

Reply via email to