that sounds similar to what we are trying to accomplish. Looks like
what we need to do is use the sudo at the OS level - and remove the
postgres db user account altogether.... giving specific users the privs
(or create roles) that accomplish what they need.
Plugge, Joe R. wrote:
If the user is allowed to become (sudo - postgres) they can stop, start, the
database and then change the pg_hba.conf, created unrestricted access into the
database, even from remote machines. Typically on our systems, we do not allow
users to log into the actual machine, rather create roles in the database
according to their needs and then have them come in from another machine. This
keeps all sorts of undesirable behavior (zcat, grep, cut, awk, programs running
etc) off of your database machine.
-----Original Message-----
From: Maria L. Wilson [mailto:[email protected]]
Sent: Wednesday, June 30, 2010 3:03 PM
To: Plugge, Joe R.
Cc: Wilson, Maria Louise (LARC-E301)[SCIENCE SYSTEMS APPLICATIONS];
[email protected]
Subject: Re: [ADMIN] postgres database user account
ok - thanks that makes sense....
so what about the operating system account that is different? What we
are planning on doing with the OS acct (postgres) is only allowing users
sudo ability to this account. Nobody should be able to directly log
into it. Do you think that will cause problems?
thanks again - Maria
Plugge, Joe R. wrote:
Yes, you can create a role that is a superuser that should be able to do
internal work:
CREATE ROLE myuser;
ALTER ROLE myuser WITH SUPERUSER INHERIT CREATEROLE CREATEDB LOGIN PASSWORD
'mypassword' VALID UNTIL 'infinity';
If you are talking about the operating system account named postgres, then this
is a different question.
-----Original Message-----
From: [email protected]
[mailto:[email protected]] On Behalf Of Maria L. Wilson
Sent: Wednesday, June 30, 2010 2:15 PM
To: [email protected]
Subject: [ADMIN] postgres database user account
Hoping someone out there can answer this general question(s).... I am
having to justify having access to the "postgres" database user account
to do DBA type work.....
Is there any specific items that require the postgres database user
account to run?
Can any general user (with superuser permission) basically do what this
postgres account does?
thanks, Maria Wilson
Nasa/Langley Research Center
Hampton, Virginia 23681
--
Sent via pgsql-admin mailing list ([email protected])
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-admin
