Re: superuser authentication?

From: "woger151" <woger151(at)jqpx37(dot)cotse(dot)net>
To: "Bill Moran" <wmoran(at)collaborativefusion(dot)com>
Cc: <pgsql-general(at)postgresql(dot)org>
Subject: Re: superuser authentication?
Date: 2007-01-03 23:09:53
Message-ID: 008201c72f8c$d14fe6f0$6501a8c0@apollosjf
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-general


----- Original Message -----
From: "Bill Moran" <wmoran(at)collaborativefusion(dot)com>
To: "woger151" <woger151(at)jqpx37(dot)cotse(dot)net>
Cc: <pgsql-general(at)postgresql(dot)org>
Sent: Wednesday, January 03, 2007 10:09 AM
Subject: Re: [GENERAL] superuser authentication?

> In response to Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>:
>
>> "woger151" <woger151(at)jqpx37(dot)cotse(dot)net> writes:
>> > What I'm not sure about is how to authenticate the postgresql superuser
>> > (user 'postgres' on my system). I'm considering:
>>
>> > 1. Using ident (supposedly secure because of the SO_PEERCRED
>> > mechanism; and
>> > I've made a lot of effort to secure the server at the OS level)
>> > 2. Using password (_not_ stored on disk in e.g. pgpass)
>> > 3. Using reject
>>
>> How are you going to do backups?
>
> Additionally ...
>
> While I would never caution someone _against_ more security, keep some
> things in mind.
>
> There's a user on your system that PostgreSQL runs under (probably called
> "postgres"). That user owns all the files where Postgres stores the
> tables
> and everything else. None of that data is encrypted by Postgres (except
> passwords) so any user who can su to the postgres user can bypass the
> database to access the data, corrupt it, and even (if they're very clever)
> modify it.
>
> My point being, that if an attacker gets a shell on your system, they're
> already very close to being able to access your PostgreSQL data.

Right, which is why "ident" seems pretty secure. The only reason I don't
just go ahead with "ident" is that one can always wonder, "what if there's a
security hole in the implementation of SO_PEERCRED?"

> Personally, I'd set auth to password, then keep the password in a file in
> root's home directory and set it readable by root only. If an attacker
> can
> read that file, he already doesn't need to.
>
> This does mean that you'll have to carefully secure the script you use to
> make backups, since they'll need to have the password in them. But you'll
> need to carefully secure your backups anyway or all the other security is
> rather pointless.

Right.

>
> --
> Bill Moran
> Collaborative Fusion Inc.

In response to

Browse pgsql-general by date

  From Date Subject
Next Message woger151 2007-01-03 23:13:26 Re: superuser authentication?
Previous Message Romulo Hunter 2007-01-03 20:14:56 Update to 8.2 in openSUSE 10.2