| From: | "woger151" <woger151(at)jqpx37(dot)cotse(dot)net> |
|---|---|
| To: | "Bill Moran" <wmoran(at)collaborativefusion(dot)com> |
| Cc: | <pgsql-general(at)postgresql(dot)org> |
| Subject: | Re: superuser authentication? |
| Date: | 2007-01-03 23:09:53 |
| Message-ID: | 008201c72f8c$d14fe6f0$6501a8c0@apollosjf |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
----- Original Message -----
From: "Bill Moran" <wmoran(at)collaborativefusion(dot)com>
To: "woger151" <woger151(at)jqpx37(dot)cotse(dot)net>
Cc: <pgsql-general(at)postgresql(dot)org>
Sent: Wednesday, January 03, 2007 10:09 AM
Subject: Re: [GENERAL] superuser authentication?
> In response to Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>:
>
>> "woger151" <woger151(at)jqpx37(dot)cotse(dot)net> writes:
>> > What I'm not sure about is how to authenticate the postgresql superuser
>> > (user 'postgres' on my system). I'm considering:
>>
>> > 1. Using ident (supposedly secure because of the SO_PEERCRED
>> > mechanism; and
>> > I've made a lot of effort to secure the server at the OS level)
>> > 2. Using password (_not_ stored on disk in e.g. pgpass)
>> > 3. Using reject
>>
>> How are you going to do backups?
>
> Additionally ...
>
> While I would never caution someone _against_ more security, keep some
> things in mind.
>
> There's a user on your system that PostgreSQL runs under (probably called
> "postgres"). That user owns all the files where Postgres stores the
> tables
> and everything else. None of that data is encrypted by Postgres (except
> passwords) so any user who can su to the postgres user can bypass the
> database to access the data, corrupt it, and even (if they're very clever)
> modify it.
>
> My point being, that if an attacker gets a shell on your system, they're
> already very close to being able to access your PostgreSQL data.
Right, which is why "ident" seems pretty secure. The only reason I don't
just go ahead with "ident" is that one can always wonder, "what if there's a
security hole in the implementation of SO_PEERCRED?"
> Personally, I'd set auth to password, then keep the password in a file in
> root's home directory and set it readable by root only. If an attacker
> can
> read that file, he already doesn't need to.
>
> This does mean that you'll have to carefully secure the script you use to
> make backups, since they'll need to have the password in them. But you'll
> need to carefully secure your backups anyway or all the other security is
> rather pointless.
Right.
>
> --
> Bill Moran
> Collaborative Fusion Inc.
| From | Date | Subject | |
|---|---|---|---|
| Next Message | woger151 | 2007-01-03 23:13:26 | Re: superuser authentication? |
| Previous Message | Romulo Hunter | 2007-01-03 20:14:56 | Update to 8.2 in openSUSE 10.2 |