* Bruce Momjian (br...@momjian.us) wrote: > On Mon, Jan 4, 2016 at 12:55:16PM -0500, Stephen Frost wrote: > > I'd like to be able to include, in both of those, a simple set of > > instructions for granting the necessary rights to the user who is > > running those processes. A set of rights which an administrator can go > > look up and easily read and understand the result of those grants. For > > example: > > > ... > > pgbackrest: > > > > To run pgbackrest as a non-superuser and not the 'postgres' system > > user, grant the pg_backup role to the backrest user and ensure the > > backrest system user has read access to the database files (eg: by > > having the system user be a member of the 'postgres' group): > ------ > > Just to clarify, the 'postgres' OS user group cannot read the data > directory, e.g. > > drwx------ 19 postgres staff 4096 Jan 17 12:19 data/ > ^^^group > > I assume we don't want to change that.
This is going to be distribution dependent, unfortunately. On Debian-based distributions, the group is 'postgres' and it'd be perfectly reasonable to allow that group to read the data directory. I don't recall offhand if that means we'd have to make changes to allow that, but, for my 2c, I don't see why we wouldn't allow it to be an option. Thanks! Stephen
signature.asc
Description: Digital signature
