Re: Installing PostgreSQL as "postgress" versus "root" Debate!

From: Doug Quale <quale1(at)charter(dot)net>
To: "PostgreSQL Admin" <pgsql-admin(at)postgresql(dot)org>
Subject: Re: Installing PostgreSQL as "postgress" versus "root" Debate!
Date: 2005-01-13 16:56:02
Message-ID: 87k6qh2rq5.fsf@charter.net
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-admin

"Goulet, Dick" <DGoulet(at)vicr(dot)com> writes:

> to Postgres install as well. I as the DBA should be able to install,
> upgrade, etc the software without access to the root account. Simply
> put the fewer people who know the root password the fewer who can
> destroy the system and the fewer who have to be told when the password
> changes. And the fewer people who know anything, the more secure it is.

This analysis is incomplete. Under this scheme, if someone cracks
your account they can install trojaned or malicious executables owned
by you without cracking root. The flaw is in believing that this
scheme requires an intruder to crack two accounts to defeat your
security. In fact, you have doubled the number of targets but left
the amount of work required of the bad guys to compromise your system
the same (crack one account).

Put all your eggs in one basket, and WATCH THAT BASKET.

In response to

Responses

Browse pgsql-admin by date

  From Date Subject
Next Message John Allgood 2005-01-13 17:00:38 Setting Up Clustering for Postgres
Previous Message Tomeh, Husam 2005-01-13 16:06:05 Re: Installing PostgreSQL as "postgress" versus "root"