Daniel Gomez Blanco <nanodgb@gmail.com> writes:
> I'm part of a service where we provide users with their own PostgreSQL
> instances. The idea is that we provide them with a website to request and
> manage their databases (start/stop, backups, restores, upgrades,
> monitoring, etc). By doing this, we avoid having to give them access to the
> machine where their database is running, as this would be a security
> concern. But in the end, the user is the sole responsible for the database.
> At the moment we create an "admin" user for them and give it "createdb" and
> "createrole" privileges. My question is, in case we give that user the
> superuser privilege, what would the repercussion be concerning security (as
> in accessing data on the machine for example)? And what advantages would
> the user acquire by having that privilege (considering major admin
> functionality is provided via the website)?
If you're not willing to give them a shell login on the database server,
you'd better not give them superuser, because the latter is easily
parlayed into the former on most platforms. (It's not trivial
necessarily, but we do not consider it a security bug if you can.)
However, it's also generally assumed that a person with DBA
responsibilities should be able to log in as the O/S user that runs the
database server (not root, but the postgres O/S user). So if your service
is telling people that they are "solely responsible", maybe you should
rethink that end of it.
The main functionality omission I'm noticing in your sketch is server
configuration adjustment and installation of database extensions ...
regards, tom lane
