Java Reference
In-Depth Information
Creating a
postgres
User
14.9.2
More than likely, installing a PostgreSQL package will create a new Linux user
called
postgres
on your system. This is not a login account; it will be used by
the database server process daemon
11
(called “postmaster,” lest you think that
it might be an e-mail server or something). Furthermore, only the
postgres
user is able to create additional database users or any databases.
Obviously, we won't want it to be like this forever. It has the same prob-
lem as the
root
user on the OS itself: There's one magic user with all the
power. You'll need to create additional users and you'll want to limit what they
can do. How to do it?
First off, you can't log in as
postgres
, so you will have to become
root
and then
su
to the
postgres
user:
[mschwarz@cassidy mschwarz]$ su -
Password:
[root@cassidy root]# su - postgres
-bash-2.05b$
Note that
postgres
didn't have any profile or rc script to set up prompts
or anything.
All PostgreSQL databases have owning users, in much the same way that
all Linux files have owning users. But PostgreSQL users are not necessarily the
same as Linux users.
12
The only PostgreSQL user that exists “out of the box”
is
postgres
. You must use the
createuser
command-line utility (or the
equivalent SQL) to create a user. Here's an example:
11. Historically, daemon processes on UNIX systems used to be run as
root
. But a program
error in a daemon would allow a malicious user to execute code as the owner of the process. If
that owner is
root
, one programming mistake in a server process could give an attacker total
control of the system. Beware of any daemon process that runs as
root
. Nowadays, these run
as either a totally nonpriviledged user such as
nobody
, or, if they really need to write files or
some such thing, as a catch-all user like
daemon
. The database is an important process and it
needs its own security, so it runs as its own user,
postgres
.
12. For most PostgreSQL command-line utilities, if no PostgreSQL username is specified, the
current Linux username will be used. This is often a convenient choice, but you might have
compelling reasons not to do this.
