On Mon, Jan 22, 2007 at 08:30:53AM -0600, Ron Johnson wrote:
> > The answer depends heavily on what the "programmer/dba" can do.
> >
> > Any superuser of the DB can see any data
> > Any user that can access the raw files can see any data
> > Any user that can poke into memory can see any data
> > Any user that can access the backups can see any data there
> >
> > So in theory, if you restrict the programmer appropriately you could do
> > it, but you have to check they can still do their job.
>
> Anyone tried running PG with restrictive SELinux policies?
I beleive redhat does this by default, if you have SELinux enabled.
Suitably restricted, it should mean the dba/programmer won't be able to
get at the data except via the database.
I don't know of anyone that's actually done this.
Have a nice day,
--
Martijn van Oosterhout <kleptog@svana.org> http://svana.org/kleptog/
> From each according to his ability. To each according to his ability to litigate.
