Thread: Security question : Database access control
Is there any way to prevent superuser to acces the database ?
I mean something like "GRANT / REVOKE CONNECT" MECHANISM
I have no idea how to prevent root from access data in one of this ways :
root @ linux:~#su - postgres
postgres @ linux:/usr/local/pgsql/bin$pg_dump ....
or
edit pg_hba.conf
# Allow any user on the local system to connect to any
# database under any username, but only via an IP connection:
host all 127.0.0.1 255.255.255.255 trust
# The same, over Unix-socket connections:
local all trust
or my nightmare a cygwin on Win 98 everybody can can access everything :-((((
# database under any username, but only via an IP connection:
host all 127.0.0.1 255.255.255.255 trust
# The same, over Unix-socket connections:
local all trust
or my nightmare a cygwin on Win 98 everybody can can access everything :-((((
On Tue, Oct 22, 2002 at 17:05:38 +0200, Igor Georgiev <gory@alphasoft-bg.com> wrote: > Is there any way to prevent superuser to acces the database ? > I mean something like "GRANT / REVOKE CONNECT" MECHANISM > > I have no idea how to prevent root from access data in one of this ways : > root @ linux:~#su - postgres > postgres @ linux:/usr/local/pgsql/bin$pg_dump .... > or > edit pg_hba.conf > # Allow any user on the local system to connect to any > # database under any username, but only via an IP connection: > host all 127.0.0.1 255.255.255.255 trust > # The same, over Unix-socket connections: > local all trust > or my nightmare a cygwin on Win 98 everybody can can access everything :-(((( They can just read the raw database files as well. You have to be able to trust whoever has root access to the system, as well as anyone who has physical access to the system.
> > edit *pg_hba.conf *
> > # Allow any user on the local system to connect to any
> > # database under any username, but only via an IP connection:
> > host all 127.0.0.1 255.255.255.255 trust
> > # The same, over Unix-socket connections:
> > local all trust
> > # Allow any user on the local system to connect to any
> > # database under any username, but only via an IP connection:
> > host all 127.0.0.1 255.255.255.255 trust
> > # The same, over Unix-socket connections:
> > local all trust
> what about reading pg_hba.conf comments?
> local all md5
>
> local all md5
>
Ok, but my question actually isn't about pg_hba.conf comments, i read enough
but what will stop root from adding this lines or doing su - postgres ??
On Tue, 22 Oct 2002, Igor Georgiev wrote: > > > edit *pg_hba.conf * > > > # Allow any user on the local system to connect to any > > > # database under any username, but only via an IP connection: > > > host all 127.0.0.1 255.255.255.255 trust > > > # The same, over Unix-socket connections: > > > local all trust > > what about reading pg_hba.conf comments? > > local all md5 > > > > Ok, but my question actually isn't about pg_hba.conf comments, i read enough > but what will stop root from adding this lines or doing su - postgres ?? > Nothing, root is GOD in unix. He can do whatever he wants.
On Tue, 22 Oct 2002, Igor Georgiev wrote: > > > edit *pg_hba.conf * > > > # Allow any user on the local system to connect to any > > > # database under any username, but only via an IP connection: > > > host all 127.0.0.1 255.255.255.255 trust > > > # The same, over Unix-socket connections: > > > local all trust > > what about reading pg_hba.conf comments? > > local all md5 > > > > Ok, but my question actually isn't about pg_hba.conf comments, i read enough > but what will stop root from adding this lines or doing su - postgres ?? Not much really. But given that they have access to the raw data files, preventing them access to the server doesn't gain you that much if they really want to get the data.
> They can just read the raw database files as well.
wow I'm not sure
how about this
edit pg_hba.conf
# Allow any user on the local system to connect to any
# database under any username
# database under any username
local all trust
su - posgres
psql test -U dba
or
pg_dump test
> You have to be able to trust whoever has root access to the system, as well as anyone who has
> physical access to the system.
> physical access to the system.
"Igor Georgiev" <gory@alphasoft-bg.com> writes:
> Ok, but my question actually isn't about pg_hba.conf comments, i read enough
> but what will stop root from adding this lines or doing su - postgres ??
As somebody already pointed out, you *must* trust the people with root
access to your machine; there is not anything you can do to defend
yourself against them. If you can't trust the admins on the machine
you're using, better get your own machine.
regards, tom lane
> Next your going to ask what will stop root from stopping your
> PostgreSQL, compiling a second copy with authentication disabled and
> using your data directory as it's source :)
> PostgreSQL, compiling a second copy with authentication disabled and
> using your data directory as it's source :)
He he i'm enough paranoic :))
> If you want to prevent root from accomplishing these things, you're
> going to have to look to your kernel for help. The kernel must prevent
> root from changing users, starting / stopping applications, or touching
> certain filesystems.
>
> PostgreSQL will let you put a password on the data. But that only works
> if they actually try to use PostgreSQL to get at the data.
use PostgreSQL to get at the data - Yeah this will be enough
i want just only REVOKE CONNECT PRIVILEGES on database
> edit *pg_hba.conf *
> # Allow any user on the local system to connect to any
> # database under any username, but only via an IP connection:
> host all 127.0.0.1 255.255.255.255 trust
> # The same, over Unix-socket connections:
> local all trust
what about reading pg_hba.conf comments?
local all md5
> or *my nightmare *a cygwin on Win 98 everybody can can access everything
> :-((((
/me shrugs
i don't use cygwin
On Tue, 2002-10-22 at 12:12, Igor Georgiev wrote: > > > edit *pg_hba.conf * > > > # Allow any user on the local system to connect to any > > > # database under any username, but only via an IP connection: > > > host all 127.0.0.1 255.255.255.255 trust > > > # The same, over Unix-socket connections: > > > local all trust > > what about reading pg_hba.conf comments? > > local all md5 > > > > Ok, but my question actually isn't about pg_hba.conf comments, i read enough > but what will stop root from adding this lines or doing su - postgres ?? Next your going to ask what will stop root from stopping your PostgreSQL, compiling a second copy with authentication disabled and using your data directory as it's source :) If you want to prevent root from accomplishing these things, you're going to have to look to your kernel for help. The kernel must prevent root from changing users, starting / stopping applications, or touching certain filesystems. PostgreSQL will let you put a password on the data. But that only works if they actually try to use PostgreSQL to get at the data. There are a couple of tools which were designed to recover database data while the db is not running. -- Rod Taylor
> Next your going to ask what will stop root from stopping your > PostgreSQL, compiling a second copy with authentication disabled and > using your data directory as it's source :) He he somebody can blow up ur home with C4, but this don't stop you from locking ur door !?!
On Fri, 25 Oct 2002, Igor Georgiev wrote: > > > Next your going to ask what will stop root from stopping your > > PostgreSQL, compiling a second copy with authentication disabled and > > using your data directory as it's source :) > > He he somebody can blow up ur home with C4, but this don't stop you from > locking ur door !?! It's more equivalent to giving him the keys and then wondering why the lock doesn't stop him.
On Tue, Oct 22, 2002 at 05:05:38PM +0200, Igor Georgiev wrote:
> or my nightmare a cygwin on Win 98 everybody can can access everything
Or =my= nightmare: Anything important on any Windows platform.
-crl
--
Chad R. Larson (CRL22) chad@eldocomp.com
Eldorado Computing, Inc. 602-604-3100
5353 North 16th Street, Suite 400
Phoenix, Arizona 85016-3228