setting up pg_ident for peer auth with unix groups

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

setting up pg_ident for peer auth with unix groups

Geoff Winkless
Hi

Not sure if I'm missing something obvious but I can't see a way to set up pg_ident with unix groups in the username maps.

 
Is it possible or do I have to set up one entry for every user?

Ta

Geoff
Reply | Threaded
Open this post in threaded view
|

Re: setting up pg_ident for peer auth with unix groups

Holger Jakobs-2

Hi Geoff,

No, there is no such mechanism. The ident service (it's not safe as you probably know) only delivers the name of the user who has initiated the TCP connection to the PG server.

This will be matched to the PG user the connection is supposed to be established as. If they match, the respective line of pg_hba.conf might grant access.

pg_ident.conf can be used to match system usernames (of the client machine) to PG usernames.

The /etc/group file which technically could be accessed by PG processes resides on the server and thus could be very different from the one on the client machine. Plus, the system username used on the client machine may not even exist on the server, nor does the PG username have to exist as a system username on client or server.

Therefore, using Unix groups wouldn't make much sense.

Regards,

Holger

Am 30.01.20 um 12:59 schrieb Geoff Winkless:
Hi

Not sure if I'm missing something obvious but I can't see a way to set up pg_ident with unix groups in the username maps.

 
Is it possible or do I have to set up one entry for every user?

Ta

Geoff
--

Holger Jakobs, Bergisch Gladbach
instant messaging: <a href="xmpp:holger@jakobs.com">xmpp:holger@...
<a href="tel:+491789759012">+49 178 9759012 oder <a href="tel:+492202817157">+49 2202 817157

Reply | Threaded
Open this post in threaded view
|

Re: setting up pg_ident for peer auth with unix groups

Tom Lane-2
In reply to this post by Geoff Winkless
Geoff Winkless <[hidden email]> writes:
> Not sure if I'm missing something obvious but I can't see a way to set up
> pg_ident with unix groups in the username maps.
> https://www.postgresql.org/docs/12/auth-username-maps.html
> Is it possible or do I have to set up one entry for every user?

If your goal is "allow any local user who is a member of group X
to connect", you might be able to do it by setting restrictive
filesystem privileges on the postmaster's Unix-socket file.  This
has some disadvantages --- notably, there's no way to override and
let selected non-group-members in too --- but it's worth considering.
See the unix_socket_group and unix_socket_permissions GUCs.

                        regards, tom lane