Skip site navigation (1) Skip section navigation (2)

Re: OT: Database Encryption (now required by law in Italy)

From: Silvana Di Martino <silvanadimartino(at)tin(dot)it>
To: Mitch Pirtle <mitchy(at)spacemonkeylabs(dot)com>
Cc: pgsql-admin(at)postgresql(dot)org
Subject: Re: OT: Database Encryption (now required by law in Italy)
Date: 2004-03-07 16:27:49
Message-ID: 200403071539.44080.silvanadimartino@tin.it (view raw or flat)
Thread:
Lists: pgsql-admin
Alle 13:25, domenica 7 marzo 2004, Mitch Pirtle ha scritto:
> Silvana Di Martino wrote:
> > Regarding this topic I have a dream: the hyerarchical permission
> > architecture of OS/400 (and many other IBM OSs for mainframe) ported to
> > Linux. Just imagine this: you have a omnipotent "root" who can access the
> > machine from the console only, a whole set of powerful, configurable
> > administrators who can act from the net, each of them devoted to
> > administer a specific part of the OS or of the File System, and finally a
> > crowd of simple users, with configurable permissions. Nobody would have
> > more power of what it actually need for his job, not even the root.
>
> Great, then all of my linux users, thanks to the administrators in their
> physical presence, would get an account with SECADM privileges.
>
> (rimshot)

This would be a human act of will (a "betrayal"). It looks like that not even 
God can protect humans from this (have you ever heard of "free will"?). This 
would not be different from a Linux/Unix Root giving away its password. I 
cannot see any way to protect ourselves from such a betrayal, neither with 
technological tools nor in any other way.

BTW: you understandably suppose that administrators have the power to give 
SECADM privileges to other users. This may be true or may be not. I cannot 
remember which was the situation on OS/400 but I would not be surprised to 
discover that ADMINs do not have such a power. Most likely, just a SECADM can 
create a new SECADM. A strict division of powers is a fundamental concept of 
any security system.

See you

-----------------------------------------
Alessandro Bottoni and Silvana Di Martino
alessandrobottoni(at)interfree(dot)it
silvanadimartino(at)tin(dot)it

In response to

pgsql-admin by date

Next:From: Oli SennhauserDate: 2004-03-07 16:38:48
Subject: Re: CREATE USER system privilege?
Previous:From: Silvana Di MartinoDate: 2004-03-07 16:13:03
Subject: pgcrypto and database encryption

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group