Re: Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords

* Kevin Brown (kevin(at)sysexperts(dot)com) wrote:
> Stephen Frost wrote:
> > Unfortunately, Postgres doesn't currently encrypt pg_shadow and even if
> > it did you'd have to have the password stored on disk somewhere in the
> > clear if you wanted the database to start automatically, which is more
> > important if you havn't got backup databases and whatnot (which aren't
> > really as easy to set up w/ Postgres and generally Postgres requires
> > more disk space than a KDC).
>
> Yeah, but who cares? If the attacker has enough access to the box
> that they can grab the stored master password, then they can modify
> the postgresql binaries and intercept the salt information (at a
> minimum) as it's being sent to the client anyway.

Security in layers *is* good. It is not unlikely that an attacker would
be able to gain enough access to read some small portion of protected
data without having full root access to the system. Your argument would
suggest that we should put plaintext passwords in /etc/shadow and that
there's no reason for a KDC to encrypt its database.

> That's because in any sane implementation, you'd store the master
> password in a root-readable-only file, and have Postgres start up as
> root, grab the password, and then immediately setuid() to the postgres
> account, so that accessing the database itself isn't enough to allow
> you to compromise the master password. If they can grab the master
> password with that setup, then they have root on the box anyway and
> can do anything they want.

Postgres won't start, atm anyway, if it's being run as root. You could
have something else do what you're suggesting though, yes. And, yes,
it'd be better than having the master password be readable from the disk
directly as the Postgres user. I certainly wouldn't complain if this
was available in Postgres and it would alliviate some of my concerns
about the 'md5' method in pg_hba.conf.

Stephen