Re: Securing Postgres

On Wed, Oct 05, 2005 at 04:37:38PM +0200, L van der Walt wrote:
> Then, I might as well just leave the whole PostgreSQL DB and write my
> own mini DB with encrypted XML files. I am sure someone must have an
> answer for me.

I think you are missing the point. Root is all powerful, end of story.
They could copy the datafiles to another machine and read them there.
If you can access the Postgres user you can copy the files also. Root
can open the debugger on the PostgreSQL backend and read data that way.

Root can use the debugger to bypass access protection in PostgreSQL,
and the backend would have no way to knowing it even happened. Root can
sniff the packets going over the network. Root can read the password
and ident files. Root can access kernel memory and adjust his own
permissions. Root can create a jail and make processes think they're
on the same machine when they're actual somewhere else.

In your example, they could simply extract your encyption key from the
memory of your program and decrypt the database files themselves. There
is no defense.

Root *is* god. If you don't trust the users, don't give them root. Why
should you? Perhaps you need explain what you want more carefully.
Maybe SELinux has a start for you, but you should probably just not let
people have root, seriously.
--
Martijn van Oosterhout <kleptog(at)svana(dot)org> http://svana.org/kleptog/
> Patent. n. Genius is 5% inspiration and 95% perspiration. A patent is a
> tool for doing 5% of the work and then sitting around waiting for someone
> else to do the other 95% so you can sue them.