[Peter Tribble:]
| > | > Shouldn't we think about collapsing the two users for postgres and mysql
| > | > into a single dbuser ?
| > |
| > | Doesn't seem advantageous to me - I can quite imagine
| > | scenarios where both databases would be running on a single
| > | box for quite different purposes.
| >
| > It would mean different users for every piece of software we integrate.
| > and unnecessary administrative overhead for these. Is this useful
| > enough to justify it?
|
| Definitely.
|
| > What are the chances of having different types of databases running on
| > the same system? _and where the administrator of both has to be different_?
|
| Pretty high. The idea here is to provide ready to run software stacks.
| Many applications strongly prefer a particular database (SQL varies
| quite a bit, unfortunately). I'm thinking about applications stacks in which
| the database is treated more as an embedded component rather
| than as an application in its own right.
|
| I'll turn the question around - given that you might have two independent
| applications which have two different databases underneath them, why
| would you even consider using the same username/userid?
What is the reason for selecting different users for different
applications?
I remember that we used to run all the daemons as nobody. The only
reason that I know of that we switched to different usernames is to
limit the access of an intruder who managed to compromize an app.
In the case of pre-fab user-names, I think it is easier for the
administrator to manage the files of a group of applications by using
the same username rather than to switch to multitudes of usernames to
manage each.
I think using dbuser for database applications strikes the right balance
considering the above two.
| (It gets worse - on my consolidated oracle boxes the different oracle
| instances run under different usernames. Of course, if we were to do
| that again we would separate them with zones instead.)
Yes, but you were not using pre-fab usernames for those. If the user
wants, he is still free to add additional usernames as he wishes.
| > The same holds true for other server software too, like webservers (we
| > are integrating apache and lightd, and we are going with webserverd as
| > the user for these.)
|
| I'm actually wondering about the general usefulness of the supplied
| usernames. In fact, thinking about this reminds me that if a mysql
| user is ever supplied by default then I'll need to delete that user so
| as not to conflict with the existing mysql account on my servers.
I agree, It would be better not to use a pre-fab username if we can help
it. But in cases like package installs, I am not sure if we can get
input from the user on this.
rahul
--
1. e4 _
