Mark Dilger <mark.dilger@enterprisedb.com> writes:
>> On Apr 20, 2021, at 5:54 AM, Robert Haas <robertmhaas@gmail.com> wrote:
>> On Tue, Apr 20, 2021 at 1:31 AM Mark Dilger
>> <mark.dilger@enterprisedb.com> wrote:
>>> I think you are conflating the concept of an operating system adminstrator with the concept of the database
superuser/owner.
>> You should conflate those things, because there's no meaningful
>> privilege boundary between them:
> I understand why you say so, but I think the situation is more nuanced than that.
Maybe I too am confused, but I understand "operating system administrator"
to mean "somebody who has root, or some elevated OS privilege level, on
the box running Postgres". That is 100% distinct from the operating
system user that runs Postgres, which should generally be a bog-standard
OS user. (In fact, we try to prevent you from running Postgres as root.)
What there is not a meaningful privilege boundary between is that standard
OS user and a within-the-database superuser. Since we allow superusers to
trigger file reads and writes, and indeed execute programs, from within
the DB, a superuser can surely reach anything the OS user can do.
The rest of your analysis seems a bit off-point to me, which is what
makes me think that one of us is confused. If Alice is storing her
data in a Postgres database, she had better trust both the Postgres
superuser and the box's administrators ... otherwise, she should go
get her own box and her own Postgres installation.
regards, tom lane
