| From: | Robin Iddon <robin(at)edesix(dot)com> |
|---|---|
| To: | pgsql-admin(at)postgresql(dot)org |
| Subject: | Re: Update actions (with user name) inside PostgreSQL DB - any version on postgreSQL |
| Date: | 2012-03-14 16:44:31 |
| Message-ID: | 1331743471.5503.207.camel@elliot |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-admin |
Constrained sudo is no substitute for proper security. If I was in
charge of a database where personal details or credit card or financial
information could be compromised I would not rely on constrained sudo.
The reason is that no matter how smart you think you are, some smarty
pants always finds a way to abuse the root privileges they have been
granted, possibly by exploiting a design flaw in the program they've
been allowed to run as root.
For example, I am pretty sure that psql can be used to write files with
arbitrary content (use your imagination with \copy ... or \echo ...). I
am pretty sure that as root you could overwrite /usr/bin/psql with
another file of the same name that actually execs /bin/bash if invoked
with a suitable command line option, but otherwise behaves just
like /usr/bin/psql ...
If you don't believe me try this:
sudo psql <whatever ...>
dbname=>\pset tuples_only
dbname=>\o |/bin/bash
dbname=>select 'id';
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
There are many more sophisticated examples. The only solution is not to
grant sudo to anyone you wouldn't grant root to.
Cheers,
Robin
On Wed, 2012-03-14 at 12:24 -0400, Kris Deugau wrote:
> Scott Ribe wrote:
> > On Mar 14, 2012, at 9:01 AM, David Ondrejik wrote:
> >
> >> In Linux you can setup and use the "sudo" option. For those whom you don't wish to have root access, simply make them sudousers, then change the root password. This will force those users to simply type "sudo" (w/o quotes) at the beginning of each command they want to run (i.e. sudo psql db_name "insert into....").
> >
> > Sure, you mean like this command:
> >
> > sudo su root
>
> If properly (mis)configured.
>
> On the other hand, you can provide very limited root access on a
> command-by-command and user-by-user basis with more complex sudo
> configurations, and while the first request will ask for a password,
> further requests within the configured authorization timeout will still
> be logged even if the user isn't asked for their password.
>
> -kgd
>
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Scott Marlowe | 2012-03-14 17:10:26 | Re: Update actions (with user name) inside PostgreSQL DB - any version on postgreSQL |
| Previous Message | Kris Deugau | 2012-03-14 16:24:45 | Re: Update actions (with user name) inside PostgreSQL DB - any version on postgreSQL |