Postgres DB user and OS user.

Posted on By Admin No Comments on Postgres DB user and OS user.

In PostgreSQL on Linux, it is crucial to understand that the OS user and the database user (often both named postgres) are two completely separate entities with separate credentials.

Here is the breakdown of how they interact:

1. Are the passwords the same?

No. * OS User (postgres): This is a Linux system account created during installation. By default, it usually has no password set (it is locked), meaning you cannot log in to it directly via SSH or su. You typically access it via sudo -u postgres.

  • DB User (postgres): This is a role inside the database. It has its own password stored in the PostgreSQL internal catalogs.
  • Recommendation: You do not need to set a password for the Linux postgres user. In fact, keeping it locked is more secure.

2. Can the OS user connect without a password?

Yes, by default.

On most Linux distributions (like Ubuntu, Debian, or CentOS), PostgreSQL is configured with a method called Peer Authentication for local connections.

  • How it works: When you are logged in as the Linux user postgres and run the command psql, the database “trusts” you because the kernel confirms your OS identity matches the requested database role.
  • The Command: This is why you can simply run:Bashsudo -u postgres psql You will be logged in immediately without being asked for a database password.

3. Understanding pg_hba.conf

The “magic” behind this behavior is located in a file called pg_hba.conf (usually found in /etc/postgresql/[version]/main/).

Connection TypeDatabaseUserAddressMethod
localallpostgrespeer
localallallpeer
hostallall127.0.0.1/32scram-sha-256
  • peer: Uses your Linux login name to authenticate. No password required if names match.
  • scram-sha-256 (or md5): Requires a database password.1 This is typically used for “network” connections (even if the “network” is just localhost).

Summary Table

User TypeStored InPrimary PurposeHow to Access
Linux OS User/etc/passwdOwns the DB files & processessudo -i -u postgres
Database Rolepg_authidManages tables, data, & permissionspsql -U postgres

To connect to the database user postgres remotely, you need to perform three main configuration steps. By default, PostgreSQL is “locked down” to only listen for local connections and often uses “Peer” authentication which doesn’t work over a network.

1. Set a Database Password1

Since remote connections cannot use your Linux OS identity (Peer authentication), you must set a password for the postgres database user.

  1. Log in locally: sudo -u postgres psql
  2. Run the password command:SQL\password postgres
  3. Enter your new secure password twice, then type \q to exit.

2. Enable Remote Listening

By default, Postgres only listens on localhost. You need to tell it to listen on your network interface.

  1. Find your postgresql.conf (usually in /etc/postgresql/[version]/main/).
  2. Find the line: #listen_addresses = 'localhost'
  3. Change it to:Plaintextlisten_addresses = '*' (Note: Using '*' listens on all interfaces. For better security, you can use your specific server IP.)2

3. Update the Allow-list (pg_hba.conf)

You must explicitly tell Postgres which remote IPs are allowed to connect.3

  1. Open pg_hba.conf in the same directory.
  2. Add a line at the bottom for your remote connection:Plaintext# TYPE DATABASE USER ADDRESS METHOD host all postgres [YOUR_CLIENT_IP]/32 scram-sha-256
    • host: Uses a TCP/IP connection.
    • [YOUR_CLIENT_IP]/32: Replace this with your specific computer’s IP address. Using 0.0.0.0/0 allows everyone, which is a major security risk for the postgres superuser.

4. Restart and Test

After saving the files, restart the service to apply changes:

Bash

sudo systemctl restart postgresql

To connect from your remote machine, use:

Bash

psql -h [SERVER_IP] -U postgres

⚠️ Security Warning

Exposing the postgres superuser to the internet is dangerous.

  • Best Practice: Use an SSH Tunnel instead. This lets you connect securely without opening ports or changing pg_hba.conf for the whole world.
  • Firewall: Ensure your Linux firewall (like ufw) allows traffic on port 5432 only from your specific IP: sudo ufw allow from [YOUR_IP] to any port 5432.

POSTGRESQL

Leave a Reply

Your email address will not be published. Required fields are marked *