On Sun, Sep 21, 2014 at 02:31:15AM -0400, Noah Misch wrote: > It then dawned on me that every Windows build of PostgreSQL already has a way > to limit connections to a particular OS user. SSPI authentication is > essentially the Windows equivalent of peer authentication. A brief trial > thereof looked promising. Regression runs will need a pg_ident.conf listing > each role used in the regression tests. That's not ideal, but the buildfarm > will quickly reveal any omissions. Unless someone sees a problem here, I will > look at fleshing this out into a complete patch. I bet it will even turn out > to be back-patchable.
That worked out nicely. "pg_regress --temp-install" rewrites pg_ident.conf and pg_hba.conf such that the current OS user may authenticate as the bootstrap superuser and as any user named in --create-role. Suites not using --temp-install (pg_upgrade, TAP) call "pg_regress --config-auth=DATADIR" to pick up those same configuration changes. My hope is that out-of-tree test harnesses wanting this hardening can do likewise. On non-Windows systems, "pg_regress --config-auth" does nothing.
f6dc6dd seems to have broken vcregress check for me:
