| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | "David G(dot) Johnston" <david(dot)g(dot)johnston(at)gmail(dot)com> |
| Cc: | Rizwan Shaukat <rizwan(dot)shaukat(at)hotmail(dot)com>, "pgsql-general(at)lists(dot)postgresql(dot)org" <pgsql-general(at)lists(dot)postgresql(dot)org> |
| Subject: | Re: how to secure pg_hba.conf |
| Date: | 2022-12-01 19:29:35 |
| Message-ID: | 1693764.1669922975@sss.pgh.pa.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
"David G. Johnston" <david(dot)g(dot)johnston(at)gmail(dot)com> writes:
> On Thu, Dec 1, 2022 at 11:36 AM Rizwan Shaukat <rizwan(dot)shaukat(at)hotmail(dot)com>
> wrote:
>> we hv requiremnt from security to secure pg_hba.conf file was encryption
>> or password protected on server to protect ip visibilty because these
>> server access by application n thy can amend as well. how we can achive it
>> pls
> You cannot with the present implementation of the system - pg_hba.conf is
> read by the PostgreSQL process as a file. I do not think the server is
> prepared for that file to be some kind of program whose stdout is the
> contents and you could arrange for that program to do whatever it is you'd
> like.
Even more to the point: if you are afraid of hostile actors being able
to access files inside your data directory, it seems to me that
pg_hba.conf is very far down the list of things to worry about. What's
to stop the same actors from examining/modifying other configuration
files, or even the actual database contents? If you don't think your
data directory is secure, you have problems that Postgres can't fix.
regards, tom lane
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Tom Lane | 2022-12-01 19:51:11 | Re: Stored procedure code no longer stored in v14 and v15, changed behaviour |
| Previous Message | Dominique Devienne | 2022-12-01 19:20:07 | Re: Stored procedure code no longer stored in v14 and v15, changed behaviour |