| From: | Philippe Ferreira <phil(dot)f(at)worldonline(dot)fr> |
|---|---|
| To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
| Cc: | Scott Marlowe <smarlowe(at)g2switchworks(dot)com>, Michael Fuhr <mike(at)fuhr(dot)org>, Chris Browne <cbbrowne(at)acm(dot)org>, pgsql general <pgsql-general(at)postgresql(dot)org> |
| Subject: | Re: Why pg_hba not in table? |
| Date: | 2006-02-08 18:47:41 |
| Message-ID: | 43EA3CCD.7030304@worldonline.fr |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
>>And you can change pg_hba.conf on the fly, so you don't have to restart
>>a 24/7 database because you locked the superuser out.
>>
>>
>
>If your back were against the wall, you could probably hand-edit the
>flat-file version of the permission file enough to let yourself in
>without shutting down the postmaster. It might not be as user-friendly
>
>to edit as the current pg_hba.conf, but it'd still be flat ASCII I expect.
>
Hi,
AFAIC, I've written scripts that alter the file "pg_hba.conf" on the fly,
while running PostgreSQL, and also *before* starting PostgreSQL !
The goal was to create a "restricted" mode, called via :
service postgresql start-restricted
For example, if the database server is off, and maintenance is needed
*before* any normal (non-superuser) connections, we can start the server
directly, with perfect security settings...
So, the actual pg_hba.conf file is ideal !
If we would have to start the database in order to reconfigure it to
prevent normal connections, a normal user could take advantage of this
to connect during this process !!
Don't loose flexibility and security for some "elegant" evolutions !
Best Regards,
Philippe Ferreira.
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Joachim Wieland | 2006-02-08 18:57:09 | Re: Sequences/defaults and pg_dump |
| Previous Message | Greg Stark | 2006-02-08 18:45:48 | Re: B-tree performance improvements in 8.x |