On Thu, Jan 5, 2017 at 11:56 AM, Stephen Frost <sfr...@snowman.net> wrote: > Greetings, > > If we keep it to superusers then we aren't changing anything, from my > point of view at least. That does bring up the question of if it'd be > useful for a non-superuser to be able to control. I'm on the fence > about that at the moment. Generally speaking, it's useful for > non-superusers to be able to control access, but pg_hba is a bit special > as it also controls the auth method and I'm not sure that is really > something it makes sense for a non-superuser to hack around. > > However, the other bits that pg_hba allows (controlling access based on > if it's an SSL connection, or based on the source IP) would be nice to > provide alongside the 'CONNECT' GRANT privilege instead of only being > able to do in pg_hba. > > In short, I'd rather we look at ways to minimize the need for users to > interact with pg_hba.conf than make it easier to do.
That's an interesting point. >> One thing I'm kind of happy about is that, as far as I can see, there >> hasn't been much backlash against the existing ALTER SYSTEM, either >> from a security point of view or a user-confusion point of view. > > I've seen complaints about it and have seen people changing the > permissions to be root/root on the .auto.conf file to disallow 'regular' > superusers from doing ALTER SYSTEM. It's not exactly elegant but it's a > way to avoid the risk of someone messing with the system config without > going through the CM system. Hmm, OK. They're not bothered by ALTER DATABASE the_one_everybody_uses? -- Robert Haas EnterpriseDB: http://www.enterprisedb.com The Enterprise PostgreSQL Company -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
