On Friday, October 12, 2001, at 10:33 PM, postgresql wrote:
>
> Could someone create a post that shows who(user) should own
> what. I have always let postgres own the pgsql directory and I see
> that it is recomended that root own it.
>
The PostgreSQL processes should be run as an unprivilidged user
(generally
a user called 'postgres'). This user should have the minimal rights to
function, which in this case is write access to the data directory.
This is why the rest of PostgreSQL should be installed owned by another
user
(generally root). This ensures that if the postgres user account is
compromised, the rights it gains an attacker are minimal. All it can do
is
trash your database. If the PostgreSQL executables were writable by the
postgres user, an attacker could install a trojan (eg. a simple wrapper
around
pgsql) and compromise further accounts on the system, eventually getting
to root.
The truely paranoid mount whatever they can from a read-only file system
(eg. CDROM or a network file system).
The same methodology should apply to all background services that do not
require being run as root. Even software which does require root privs
generally drop their privs as soon as possible (eg. Apache).
--
Stuart Bishop <zen@shangri-la.dropbear.id.au>
