Re: Is there any such thing as PostgreSQL security on a hosted website?

From: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
To: "Scott Gammans" <nospam_deepgloat(at)yahoo(dot)com>
Cc: pgsql-general(at)postgresql(dot)org
Subject: Re: Is there any such thing as PostgreSQL security on a hosted website?
Date: 2002-07-29 14:20:53
Message-ID: 20612.1027952453@sss.pgh.pa.us
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-general

"Scott Gammans" <nospam_deepgloat(at)yahoo(dot)com> writes:
> What is to stop a company that is hosting my
> PostgreSQL-enabled website from changing my
> pg_hba.conf file to "TRUST" so that they can go in and
> snoop around my online PostgreSQL databases?

If they have root on the machine running your DBMS, then only their own
integrity stops them from snooping all they want. There is NOTHING that
Postgres can possibly do to defend itself against a root user. "TRUST"
is the least of your worries --- they can alway just examine the
physical files holding the database.

regards, tom lane

In response to

Browse pgsql-general by date

  From Date Subject
Next Message Richard Huxton 2002-07-29 14:34:08 Re: Problematic Index Scan
Previous Message Elielson Fontanezi 2002-07-29 14:18:58 message issued by INSERT commands