0

I'm learning the ins and outs of web development and deployment in particular.

I have a Ubuntu server, I have a unix user userX and I have PostgreSQL installed. I have a simple Python / Flask web application that will be ran under the userX unix account.

I need the web application to be able to connect to PostgreSQL so I run sudo -u postgres createuser userX and this returns with no errors. I can now connect to PostgreSQL using sudo -u userX psql.

Questions:

  1. The newly created userX account (role, in PostgreSQL) does not require a password. On one hand, this seems correct because any password would have to be stored on the server itself if the web application required it to connect to PostgreSQL. On the other hand, not requiring a password seems insecure (although, if nobody can log in as userX, this should be fine)?

  2. The postgres PostgreSQL account also did not require a password. Does this mean the postgres account is insecure? Should this be allowed to exist or should the postgres user be removed? Should I be using the postgres user to connect to the database instead of userX?

  3. Where does pg_hba.conf come in to play in all of this?

user3892026
  • 11
  • 2

1 Answers1

0

You should read about pg_hba.conf, and maybe about SSL certificates.

A. Scherbaum
  • 809
  • 4
  • 8