Re: Disabling trust/ident authentication configure option - Mailing list pgsql-hackers

From Josh Berkus
Subject Re: Disabling trust/ident authentication configure option
Date
Msg-id 555A3D60.1050004@agliodbs.com
Whole thread Raw
In response to Re: Disabling trust/ident authentication configure option  (Robert Haas <robertmhaas@gmail.com>)
List pgsql-hackers
On 05/18/2015 08:36 AM, Jim Nasby wrote:
> On 5/17/15 10:58 PM, Josh Berkus wrote:
>> The goal here was stated to preventing authentication misconfiguration
>> by shortsighted admins who have superuser access and the ability to
>> change pg_hba.conf.  This is tantamount to giving someone a gun and
>> bullets, but expecting duct tape across the cartridge slot to prevent
>> them from loading or using the gun.
> 
> The idea is to prevent *accidental* misconfiguration, not to try and
> permanently lock them out. IE: make them think before allowing them to
> just do something silly. Disabling auth methods at compile time seems a
> very reasonable way to accomplish that.

It doesn't seem like it to me.  You're talking about a mechanism which
would either require people to compile their own PostgreSQL binaries, or
have an additional set of packages available.  That's a huge amount of
overhead for something which could be just as easily accomplished by
putting the comment "#IF YOU ENABLE TRUST AUTH IN THIS FILE YOU WILL BE
FIRED" in pg_hba.conf.

Or, heck, simply putting pg_hba.conf in Puppet/Chef/Ansible/Salt and
restricting permissions to the CMS repo.  Which is something most modern
shops *already do*.

There are *real* things we could do to improve the overall security of
auth methods.  Mandatory logging of pg_hba.conf changes, for example. Or
having a way to monitor which servers have which auth methods for which
networks available in some scalable way (i.e. without reading
pg_hba.conf).  Those would also take a lot of work and thought lest they
expose additional attack surfaces.

One thing computer security history has demonstrated again and again is
that ad-hoc attempts to duct-tape over real security issues are
counter-productive, since they interfere with real work and the steps
people take to get around them create bigger security holes than the
original problem.  Let's please not do that in Postgres.

-- 
Josh Berkus
PostgreSQL Experts Inc.
http://pgexperts.com



pgsql-hackers by date:

Previous
From: Peter Geoghegan
Date:
Subject: Re: jsonb concatenate operator's semantics seem questionable
Next
From: Volker Aßmann
Date:
Subject: Re: Disabling trust/ident authentication configure option