On Fri, Nov 13, 2009 at 11:47 AM, Tom Lane <t...@sss.pgh.pa.us> wrote:
> Joe Miller <joe.d.mil...@gmail.com> writes: > > I have a PostgreSQL installation for which I would like to limit local > > domain socket access to the postgres user and members of the "myadmin" > > group. I've modified pg_hba.conf to trust local domain socket > connections, > > and changed these settings in postgresql.conf: > > unix_socket_group = 'myadmin' > > unix_socket_permissions = 0770 > > Looks reasonable. > > > When I look at the socket file in /tmp, I see the following: > > srwx------ 1 postgres postgres 0 Nov 13 10:03 .s.PGSQL.5432 > > Huh, did you restart the server? Are you sure you modified the right > config file? Those settings obviously didn't "take". > > Definitely the right file, and I've restarted multiple times. If I set this: #unix_socket_group = '' unix_socket_permissions = 0770 ...everything works as I expect. I have access logged in as either root or postgres, but get "permission denied" if I'm logged in as a myadmin user. If I set this: unix_socket_group = 'myadmin' unix_socket_permissions = 0777 ...connection is refused for all accounts. For this config, I'd expect to see the socket owned by the myadmin group, but I should have access from any account, correct? Joe
