On 3/3/06 18:35, "Steve Carrow" <steve.carrow@levelv.com> wrote:
> Just chased this one down. I knew that neither PostgreSQL nor PgAgent
> would let you fire up under an Administrator account, but since PgAgent
> would work under a Power User account, I left my PgAgent account as a
> Power User and then switched PG to that account. Big oopsie. For
> uniformity, PgAgent should check for the Power User thing as well. Also,
> where do the log entries go that indicate failure because the user
> account is too powerful?
PgAgent doesn't care what account you run it under at all. PostgreSQL runs
under a limited account only to minimise the damage that can be done by an
attacker that manages to compromise the server somehow. PgAgent is a
different class of app - it's not a server and doesn't allow a (potentially
unknown) attacker any way to connect to it.
PgAgent has legitimate uses that may require administrative rights. The
security risk in this case is allowing low privilege users to schedule jobs
to be run by an agent with privileges they don't have. To prevent this, you
must secure the pgagent schema & configuration tables in the database, and
ensure that the unprivileged user cannot modify the database connection in
any way, for example by hacking the service config in the registry, or by
modifying DNS or hosts file entries to cause the agent to connect to the
wrong server.
Regards, Dave.
