Thread: Security question : Database access control

Security question : Database access control

From
"Igor Georgiev"
Date:
Is there any way to prevent superuser to acces the database ?
I mean something like "GRANT / REVOKE CONNECT" MECHANISM
 
I have no idea how to prevent root from access data in one of this ways :
    root @ linux:~#su - postgres
    postgres @ linux:/usr/local/pgsql/bin$pg_dump ....
or
    edit pg_hba.conf
        # Allow any user on the local system to connect to any
        # database under any username, but only via an IP connection:
        host         all         127.0.0.1     255.255.255.255    trust     
        # The same, over Unix-socket connections:
        local        all                                          trust
or my nightmare a cygwin on Win 98 everybody can can access everything :-((((
 
 

Re: [ADMIN] Security question : Database access control

From
Bruno Wolff III
Date:
On Tue, Oct 22, 2002 at 17:05:38 +0200,
  Igor Georgiev <gory@alphasoft-bg.com> wrote:
> Is there any way to prevent superuser to acces the database ?
> I mean something like "GRANT / REVOKE CONNECT" MECHANISM
>
> I have no idea how to prevent root from access data in one of this ways :
>     root @ linux:~#su - postgres
>     postgres @ linux:/usr/local/pgsql/bin$pg_dump ....
> or
>     edit pg_hba.conf
>         # Allow any user on the local system to connect to any
>         # database under any username, but only via an IP connection:
>         host         all         127.0.0.1     255.255.255.255    trust
>         # The same, over Unix-socket connections:
>         local        all                                          trust
> or my nightmare a cygwin on Win 98 everybody can can access everything :-((((

They can just read the raw database files as well. You have to be able to
trust whoever has root access to the system, as well as anyone who has
physical access to the system.

Re: Security question : Database access control

From
"Igor Georgiev"
Date:
> >     edit *pg_hba.conf *
> >         # Allow any user on the local system to connect to any
> >         # database under any username, but only via an IP connection:
> >         host         all         127.0.0.1     255.255.255.255    trust    
> >         # The same, over Unix-socket connections:
> >         local        all                                          trust
> what about reading pg_hba.conf comments?
>            local    all                                              md5
>
Ok, but  my question actually isn't about pg_hba.conf comments, i read enough
but what will stop root from adding this lines or doing su - postgres ??

Re: Security question : Database access control

From
"scott.marlowe"
Date:
On Tue, 22 Oct 2002, Igor Georgiev wrote:

> > >     edit *pg_hba.conf *
> > >         # Allow any user on the local system to connect to any
> > >         # database under any username, but only via an IP connection:
> > >         host         all         127.0.0.1     255.255.255.255    trust
> > >         # The same, over Unix-socket connections:
> > >         local        all                                          trust
> > what about reading pg_hba.conf comments?
> >            local    all                                              md5
> >
>
> Ok, but  my question actually isn't about pg_hba.conf comments, i read enough
> but what will stop root from adding this lines or doing su - postgres ??
>

Nothing, root is GOD in unix.  He can do whatever he wants.


Re: [ADMIN] Security question : Database access control

From
Stephan Szabo
Date:
On Tue, 22 Oct 2002, Igor Georgiev wrote:

> > >     edit *pg_hba.conf *
> > >         # Allow any user on the local system to connect to any
> > >         # database under any username, but only via an IP connection:
> > >         host         all         127.0.0.1     255.255.255.255    trust
> > >         # The same, over Unix-socket connections:
> > >         local        all                                          trust
> > what about reading pg_hba.conf comments?
> >            local    all                                              md5
> >
>
> Ok, but  my question actually isn't about pg_hba.conf comments, i read enough
> but what will stop root from adding this lines or doing su - postgres ??

Not much really.  But given that they have access to the raw data
files, preventing them access to the server doesn't gain you that
much if they really want to get the data.


Re: [ADMIN] Security question : Database access control

From
"Igor Georgiev"
Date:
> They can just read the raw database files as well.
wow I'm not sure
how about this
 
    edit pg_hba.conf
        # Allow any user on the local system to connect to any
        # database under any username
        local        all                                          trust
 
su - posgres
psql test -U dba
or
pg_dump test
 
> You have to be able to trust whoever has root access to the system, as well as anyone who has
> physical access to the system.

Re: [ADMIN] Security question : Database access control

From
Tom Lane
Date:
"Igor Georgiev" <gory@alphasoft-bg.com> writes:
> Ok, but  my question actually isn't about pg_hba.conf comments, i read enough
> but what will stop root from adding this lines or doing su - postgres ??

As somebody already pointed out, you *must* trust the people with root
access to your machine; there is not anything you can do to defend
yourself against them.  If you can't trust the admins on the machine
you're using, better get your own machine.

            regards, tom lane

Re: Security question : Database access control

From
"Igor Georgiev"
Date:
> Next your going to ask what will stop root from stopping your
> PostgreSQL, compiling a second copy with authentication disabled and
> using your data directory as it's source :)
 
He he i'm enough paranoic :))

> If you want to prevent root from accomplishing these things, you're
> going to have to look to your kernel for help.  The kernel must prevent
> root from changing users, starting / stopping applications, or touching
> certain filesystems.
>
> PostgreSQL will let you put a password on the data.  But that only works
> if they actually try to use PostgreSQL to get at the data.
 
use PostgreSQL to get at the data - Yeah this will be enough
i want just only REVOKE CONNECT PRIVILEGES on database

Re: [ADMIN] Security question : Database access control

From
dima
Date:
>     edit *pg_hba.conf *
>         # Allow any user on the local system to connect to any
>         # database under any username, but only via an IP connection:
>         host         all         127.0.0.1     255.255.255.255    trust
>         # The same, over Unix-socket connections:
>         local        all                                          trust
what about reading pg_hba.conf comments?
           local    all                                              md5

> or *my nightmare *a cygwin on Win 98 everybody can can access everything
> :-((((
/me shrugs
i don't use cygwin




Re: Security question : Database access control

From
Rod Taylor
Date:
On Tue, 2002-10-22 at 12:12, Igor Georgiev wrote:
> > >     edit *pg_hba.conf *
> > >         # Allow any user on the local system to connect to any
> > >         # database under any username, but only via an IP connection:
> > >         host         all         127.0.0.1     255.255.255.255    trust
> > >         # The same, over Unix-socket connections:
> > >         local        all                                          trust
> > what about reading pg_hba.conf comments?
> >            local    all                                              md5
> >
>
> Ok, but  my question actually isn't about pg_hba.conf comments, i read enough
> but what will stop root from adding this lines or doing su - postgres ??

Next your going to ask what will stop root from stopping your
PostgreSQL, compiling a second copy with authentication disabled and
using your data directory as it's source :)

If you want to prevent root from accomplishing these things, you're
going to have to look to your kernel for help.  The kernel must prevent
root from changing users, starting / stopping applications, or touching
certain filesystems.


PostgreSQL will let you put a password on the data.  But that only works
if they actually try to use PostgreSQL to get at the data.

There are a couple of tools which were designed to recover database data
while the db is not running.

--
  Rod Taylor


Re: Security question : Database access control

From
"Igor Georgiev"
Date:
> Next your going to ask what will stop root from stopping your
> PostgreSQL, compiling a second copy with authentication disabled and
> using your data directory as it's source :)

He he somebody can blow up ur home with C4, but this don't stop you from
locking ur door !?!


Re: [ADMIN] Security question : Database access control

From
Stephan Szabo
Date:
On Fri, 25 Oct 2002, Igor Georgiev wrote:

>
> > Next your going to ask what will stop root from stopping your
> > PostgreSQL, compiling a second copy with authentication disabled and
> > using your data directory as it's source :)
>
> He he somebody can blow up ur home with C4, but this don't stop you from
> locking ur door !?!

It's more equivalent to giving him the keys and then wondering why the
lock doesn't stop him.



Re: [ADMIN] Security question : Database access control

From
"Chad R. Larson"
Date:
On Tue, Oct 22, 2002 at 05:05:38PM +0200, Igor Georgiev wrote:
> or my nightmare a cygwin on Win 98 everybody can can access everything

Or =my= nightmare:  Anything important on any Windows platform.

         -crl
--
Chad R. Larson (CRL22)    chad@eldocomp.com
  Eldorado Computing, Inc.   602-604-3100
     5353 North 16th Street, Suite 400
       Phoenix, Arizona   85016-3228