Re: security - Mailing list pgsql-general

From Steve Atkins
Subject Re: security
Date
Msg-id 20050206051046.GA31777@gp.word-to-the-wise.com
Whole thread Raw
In response to security  (Ron Peterson <rpeterso@mtholyoke.edu>)
List pgsql-general
On Sat, Feb 05, 2005 at 09:08:00PM -0500, Ron Peterson wrote:
> I would like to be able to assert that the security of data stored as a
> value in a PostgreSQL table can be as high as the security of saving
> that same piece of data to a file on disk.  Would that be correct?

Theoretically, definitely not if the database is running on the same
machine as the application.

The data is stored as a file on the disk. So all the possible ways I
could read a file I can also read the database. There's no way that
the database can be more secure than "the filesystem" in general[1].

But you're also adding a large number of other ways I can read the
same data, via the database. They're much more complex (and powerful)
than simple filesystem level access. Because of that they're much
harder to audit and more likely to have subtle security flaws than the
filesystem. And it doesn't need to have more flaws than the FS to break
your assertion, just more flaws than zero.

In practice, I suspect you can engineer a pretty nicely secure system
using postgresql as a backing store. Running the database on a secure
host that is externally accessable only from the app that talks to it
would let you avoid (or at least ignore) some issues.

But you need to look at a real threat model and attack tree for your
specific architecture, rather than think about general database
related issues, I think.

Cheers,
  Steve

[1] Yes, postgresql can act as a gatekeeper for access, but so can
    a vastly simpler, much more easily audited dedicated gatekeeper
    application.

pgsql-general by date:

Previous
From: John DeSoi
Date:
Subject: Re: Referencing uninitialized variables in plpgsql
Next
From: David Fetter
Date:
Subject: Re: security