Postgres – Restrict Superusers to Local Connections Only

authenticationpostgresql

I have a database with several users: foo, bar, and super. I was looking at pg_hba.conf to lock down access.

I'd like to allow foo and bar to be able to connect from any IP with password authentication. Or locally with trust authentication.

I'd like to allow super to only be able to login locally with trust authentication. Never from a non-local address.

I started with this.

# TYPE  DATABASE        USER            ADDRESS                 METHOD

# Allow everything if you're on the same machine.
local   all             all                                     trust
host    all             all             127.0.0.1/32            trust

But, then I got stuck because I'm not sure how to say "all users, except super". I'm looking for something like this.

host    all             not_super       all                     md5

One approach I thought I could take is to list foo and bar explicitly. But, I'm wondering if there is another way.

host    all             foo             all                     md5
host    all             bar             all                     md5

Best Answer

Processing of pg_hba.conf stops at the first matching rule, so put your super user first - local only, trust - then rules for everybody else afterwards.

host  all  super  127.0.0.1/32  trust   # super user, local only - trust
host  all  super  0.0.0.0/0     reject  # super user, non-local - reject
host  all  all    0.0.0.0/0     md5     # All other users, anywhere - password

These address specifications are far too wide, in my opinion.
You should arrange define network subnets that your users must be within in order to connect to these databases.

Related Solutions

Postgresql – Howto disable Postgres listening on TCP

Maybe it is not the finest Solution / Answer to my question, but at least it will point anybody (facing the said challenge I had in my original question)

To disable listening on TCP/IP network I used this command line option when starting the server application:

postgres [other arguments] -c listen_addresses=''

Addition: The remaining open udp 127.0.0.1:38860 connection is supposedly linked to the purpose of the the statistics collector subprocess as suggested on postgresql.org

Postgresql – Connect to PgAdmin III via localhost

The basic misunderstanding: "localhost" is not a local connection. Your "trust" line in pg_hba.conf is not applicable for your connection:

local   all   all   trust

That only applies for connections via Unix-domain socket. Best choice for you is to connect via this route. Per pgAdmin documentation:

The host is the IP address of the machine to contact, or the fully qualified domain name. On Unix based systems, the address field may be left blank to use the default PostgreSQL Unix Domain Socket on the local machine, or be set to an alternate path containing a PostgreSQL socket. If a path is entered, it must begin with a “/”. The port number may also be specified.

Bold emphasis mine.

More about connecting without password in this related answer on SO:
Run batch file with psql command without password

Best Answer

Related Solutions

Postgresql – Howto disable Postgres listening on TCP

Postgresql – Connect to PgAdmin III via localhost

Related Question