RE: [ADMIN] RE: Security Question

Wed, 22 Dec 1999 01:52:00 -0800 

The problem of the pg_passwd command (used to feed the password.dbname files) is that 
is only stores 8 characters from the username provided, even if you typed more, and 
even if the Postgres username have more characters.
I don't know if one can add the missing characters or create the file with another 
tool (htpasswd from Apache). The problem is that you can't log in using the 8 chars 
username, nor the full username stored in the pg_shadow table.

Nicolas Huillard

-----Message d'origine-----
De:     Mark Jewiss [SMTP:[EMAIL PROTECTED]]
Date:   mercredi 22 d�cembre 1999 09:59
�:      Tim Perdue
Cc:     [EMAIL PROTECTED]
Objet:  Re: [ADMIN] RE: Security Question

Hello,

On Tue, 21 Dec 1999, Tim Perdue wrote:

> There's got to be a way to create multiple
> databases and have each one protected by a
> different username/password. Right now, any
> authorized user can connect to any database. Grant
> only works on tables, which is not useful in this
> case (grant against a DB would be useful).

One way to achieve this that I'm playing with at the moment is to edit the
pg_hba.conf file with entries like this:

host  dbname  IP_ADDRESS  NETMASK  password  password.dbname

Each password.file contains the username and encrypted password of the
user(s) that you want to be able to connect to the database - I'd include
an admin account of your own to be on the safe side.

Presumably you want users to be able to grant other users access to their
database if they want to. Give them a web interface that allows them to
add and remove users from the password file (but not the admin user of
yours). Look at HTTPD-User-Manage to start with.

This allows you to store the password files in the users home directory,
with UNIX permissions so that they can only read or write to the file
through the web interface.

Of course this means editing the pg_hba.conf file every time a new
database is created, but you can get around that with a couple of scripts
and a trigger.

Hope this helps, any queries about the theory of what I've said, just ask.

Regards,

Mark.
-- 
Mark Jewiss
Knowledge Matters Limited
http://www.knowledge.com


************


************

Reply via email to