Magnus Hagander wrote: > > How expensive would it be to implement a "server_user" db open parameter > > that would perform reverse credential passing to validate? "dbname=XXX > > port=5432 server_user=postgres". If the server can't prove it is > > postgres through UNIX socket credential passing, it fails. Similarly, > > Probably not very, but you should be able to achieve the same thing by > moving the socket to a protected directory, I think?
What you are ulimately interested in is who runs a given server. Making the inference that if the socket is in a directory that is currently only writable by a certain user implies that the user owns the server that offers that socket doesn't sound like a given to me. And let's forget that it's not really straightforward to find out who has write access to some directory. -- Peter Eisentraut http://developer.postgresql.org/~petere/ ---------------------------(end of broadcast)--------------------------- TIP 5: don't forget to increase your free space map settings