Re: Update actions (with user name) inside PostgreSQL DB - any version on postgreSQL - Mailing list pgsql-admin

From Robin Iddon
Subject Re: Update actions (with user name) inside PostgreSQL DB - any version on postgreSQL
Date
Msg-id 1331743471.5503.207.camel@elliot
Whole thread Raw
In response to Re: Update actions (with user name) inside PostgreSQL DB - any version on postgreSQL  (Kris Deugau <kdeugau@vianet.ca>)
List pgsql-admin
Constrained sudo is no substitute for proper security.  If I was in charge of a database where personal details or credit card or financial information could be compromised I would not rely on constrained sudo.

The reason is that no matter how smart you think you are, some smarty pants always finds a way to abuse the root privileges they have been granted, possibly by exploiting a design flaw in the program they've been allowed to run as root.

For example, I am pretty sure that psql can be used to write files with arbitrary content (use your imagination with \copy ... or \echo ...).  I am pretty sure that as root you could overwrite /usr/bin/psql with another file of the same name that actually execs /bin/bash if invoked with a suitable command line option, but otherwise behaves just like /usr/bin/psql ...

If you don't believe me try this:

sudo psql <whatever ...>
dbname=>\pset tuples_only
dbname=>\o |/bin/bash
dbname=>select 'id';
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)

There are many more sophisticated examples.  The only solution is not to grant sudo to anyone you wouldn't grant root to.

Cheers,
Robin

On Wed, 2012-03-14 at 12:24 -0400, Kris Deugau wrote:
Scott Ribe wrote:
> On Mar 14, 2012, at 9:01 AM, David Ondrejik wrote:
>
>> In Linux you can setup and use the "sudo" option. For those whom you don't wish to have root access, simply make them sudousers, then change the root password. This will force those users to simply type "sudo" (w/o quotes) at the beginning of each command they want to run (i.e. sudo psql db_name "insert into....").
>
> Sure, you mean like this command:
>
> sudo su root

If properly (mis)configured.

On the other hand, you can provide very limited root access on a 
command-by-command and user-by-user basis with more complex sudo 
configurations, and while the first request will ask for a password, 
further requests within the configured authorization timeout will still 
be logged even if the user isn't asked for their password.

-kgd


pgsql-admin by date:

Previous
From: Kris Deugau
Date:
Subject: Re: Update actions (with user name) inside PostgreSQL DB - any version on postgreSQL
Next
From: Scott Marlowe
Date:
Subject: Re: Update actions (with user name) inside PostgreSQL DB - any version on postgreSQL