31 Dec, 2021

Easier Postgres User Management

SergeantBiggs

linuxdatabasesqlsystem administrationsecurity

293 Words

2021-12-31 12:52 +0000

I have a Postgres instance that runs on my main server, and provides database services to all of my apps. Like everything, this has grown over the years. So I thought be time for some cleaning.

When I configured the services, I did it inconsistently because I didn’t really understand the different authentication options. Most of the time I would just create a username and password, contact the server over TCP/IP, and call it a day. This meant tracking users + passwords in external password managers, and writing long passwords in configuration files. I knew about postgresql sockets but never really used them. That is, until I discovered peer authentication. This allows postgres to authenticate users locally. You can then specify which users have access to which databases in pga_hba.conf. This allows you to easily add new users and give them permissions for databases, without having to fuck around with passwords. You can configure it by adding the specific users and databases that you want to activate peer authentication for.

For example: if you configure a gitlab instance, and want to give the gitlab user access to the gitlab database, add the following to pg_hba.conf:

# TYPE  DATABASE        USER            ADDRESS                 METHOD

# "local" is for Unix domain socket connections only
local   all             postgres                                peer

# All other users that can access the socket
local   foo             foo                                     peer
local   bar             bar                                     peer
local   gitlab          gitlab                                  peer

This provides an easy way to ensure only specific users are allowed to access specific databases. It has the added benefit of being faster and more reliable, since it uses a Unix socket. I also removed the network authentication for localhost, and disabled listening on a network socket, since that is no longer needed.

/var/lib/postgres/data/postgresql.conf

listen_addresses = ''

Articles from blogs I read

Claude Code won April Fools Day this year

They gave people a heckin tamagochi, what's not to like?

via Xe Iaso's blog April 1, 2026

tar: a slop-free alternative to rsync

So apparently rsync is slop now. When I heard, I wanted to drop a quick note on my blog to give an alternative: tar. It doesn’t do everything that rsync does, in particular identifying and skipping up-to-date files, but tar + ssh can definitely accomodate th…

via Drew DeVault's blog March 28, 2026

Mastodon Stories for systemd v260

On March 17 we released systemd v260 into the wild. In the weeks leading up to that release (and since then) I have posted a series of serieses of posts to Mastodon about key new features in this release, under the #systemd260 hash tag. In case you aren't …

via Pid Eins March 27, 2026

What happens if we represent unix time as floats?

When evaluating the performance of some software component, I want to get high precision. But when I talk about millions of years in the future, I don't care about the exact second.

via Ξ January 16, 2026

Generated by openring