Skip site navigation (1) Skip section navigation (2)

Re: Superuser without pg_hba could drop database

From: Guillaume Lelarge <guillaume(at)lelarge(dot)info>
To: Mudy Situmorang <mudy(at)astasolusi(dot)com>
Cc: pgadmin-support(at)postgresql(dot)org
Subject: Re: Superuser without pg_hba could drop database
Date: 2010-07-29 07:29:20
Message-ID: 4C512DD0.6030905@lelarge.info (view raw or flat)
Thread:
Lists: pgadmin-support
Le 29/07/2010 09:15, Mudy Situmorang a écrit :
> psql runs only from the server, while pgAdmin  (which is a standard
> installation in PostgerSQL for windows) easily installed in any clients.
> 

Wrong. psql can run from anywhere. "psql -h ip_of_the_server -U
my_superuser postgres" will connect to the server if the pg_hba.conf
allows me to. And I will be able to drop any database I want.

> In a network with several different projects & many databases that requires
> dozens of superuser, pg_hba could provide the required access control.
> 

pg_hba.conf only provides *access* control, not objects' rights control.

> In this bug, when one superuser password compromised, then all database can
> be dropped from any clients using pgAdmin.
> 

Sure. That's probably why you shouldn't have that many superusers.
Having one or two is understandable. Having more is, to say the least,
weird. Not sure that you know this, but a user can be owner of a
database without being a superuser. If you have a specific owner for
each of the database, the owners won't be able to drop other databases.
They will only have the right to drop their own.

> IMO this is a major security problem on pgAdmin software.
> 

You mean with every PostgreSQL admin tool. You can do that with any of
them. Even psql. You can easily install psql on a PC and drop a database
if you are a superuser and have the right to connect on at least one
database. I think you misunderstand the use of the superuser. You
shouldn't have a lot of them.


-- 
Guillaume
 http://www.postgresql.fr
 http://dalibo.com

In response to

Responses

pgadmin-support by date

Next:From: Mudy SitumorangDate: 2010-07-29 07:59:26
Subject: Re: Superuser without pg_hba could drop database
Previous:From: Mudy SitumorangDate: 2010-07-29 07:15:20
Subject: Re: Superuser without pg_hba could drop database

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group