PostgreSQL Administration

Author

alter user

Wim Bertels

2005-09-22, 8:24 pm

Scott Marlowe

2005-09-22, 8:24 pm

Instead of using a general purpose account, why not give everyone an account, then make them a member of a group, and give that group the access.

That way you can easily add / remove people from the group instead of trying to do it this way.

Otherwise, don't use a password, set the machine to use trust or ident or something like that where a password wouldn't matter.

-----Original Message-----
From: pgsql-admin-owner@postgresql.org on behalf of Wim Bertels
Sent: Thu 9/22/2005 6:13 PM
To: pgsql-admin@postgresql.org
Subject: [ADMIN] alter user

Ls,

any user can change his own password,
i haven't found a way of prohibiting this.
what about a general user (eg test/test), that is used by many people,
one of those people could use alter user (being connected as test/test) the
change the password, leaving the rest clueless..

suggestions to prevent this?, i need a general (readonly) user!

--
Wim Bertels

Wim Bertels

2005-09-22, 8:24 pm

Bruno Wolff III

2005-09-23, 3:23 am

On Fri, Sep 23, 2005 at 01:13:37 +0200,
Wim Bertels <wim.bertels@khleuven.be> wrote:
> Ls,
>
> any user can change his own password,
> i haven't found a way of prohibiting this.
> what about a general user (eg test/test), that is used by many people,
> one of those people could use alter user (being connected as test/test) the
> change the password, leaving the rest clueless..
>
> suggestions to prevent this?, i need a general (readonly) user!

Tell people not to do this.
Use ident authentication.
Give each person their own postgres account.

---------------------------(end of broadcast)---------------------------
TIP 5: don't forget to increase your free space map settings

Bruno Wolff III

2005-09-23, 3:23 am

On Fri, Sep 23, 2005 at 02:32:51 +0200,
Wim Bertels <wim.bertels@khleuven.be> wrote:
>
> although it is then a user/pasword known by a lot of people,
> it is still beter than no password

Why do you say that? Ident authentication is secure if you are on the same
box as the postgers server.

---------------------------(end of broadcast)---------------------------
TIP 6: explain analyze is your friend

Tom Lane

2005-09-23, 3:23 am

Bruno Wolff III <bruno@wolff.to> writes:
> Why do you say that? Ident authentication is secure if you are on the same
> box as the postgers server.

The real question is this: given that you don't believe in a personal
password as authorization to use the database, what exactly *would* you
like to believe in? We have a number of possible solutions available,
but I don't know what to recommend ...

regards, tom lane

---------------------------(end of broadcast)---------------------------
TIP 9: In versions below 8.0, the planner will ignore your desire to
choose an index scan if your joining column's datatypes do not
match

Scott Marlowe

2005-09-23, 11:24 am

On Thu, 2005-09-22 at 19:32, Wim Bertels wrote:
> On Friday 23 September 2005 01:51, Scott Marlowe seinde rooksignalen:
>
> not an option, its for scripting and testing purposes

I don't see why my method(s) excludes scripting and testing.

>
> although it is then a user/pasword known by a lot of people,
> it is still beter than no password

No, it really isn't. Once everyone (or a large enough subset of
everyone) knows the password, it's no better than an account that can
log in without one.

If it's a generic read only account with the same name as the database,
give it select only permission, and add a line like this:

host sameuser all 10.1.1.1 255.255.255.0 trust

where the 10.1.1.1 / 255.255.255.0 are replaced with the appropriate
mask to let your test machines log in. Put the host / md5 lines after
this one for the same line but with all in place of sameuser and you're
gold.

---------------------------(end of broadcast)---------------------------
TIP 6: explain analyze is your friend

Sponsored Links