From: | Stephen Frost <sfrost(at)snowman(dot)net> |
---|---|
To: | Jim Nasby <Jim(dot)Nasby(at)BlueTreble(dot)com> |
Cc: | Neil Tiffin <neilt(at)neiltiffin(dot)com>, Yeb Havinga <yebhavinga(at)gmail(dot)com>, Robert Haas <robertmhaas(at)gmail(dot)com>, Abhijit Menon-Sen <ams(at)2ndquadrant(dot)com>, Michael Paquier <michael(dot)paquier(at)gmail(dot)com>, Simon Riggs <simon(at)2ndquadrant(dot)com>, MauMau <maumau307(at)gmail(dot)com>, "pgsql-hackers(at)postgresql(dot)org" <pgsql-hackers(at)postgresql(dot)org>, Fabrízio de Royes Mello <fabriziomello(at)gmail(dot)com>, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Bruce Momjian <bruce(at)momjian(dot)us>, Fujii Masao <masao(dot)fujii(at)gmail(dot)com>, Ian Barwick <ian(at)2ndquadrant(dot)com> |
Subject: | Re: pgaudit - an auditing extension for PostgreSQL |
Date: | 2015-02-17 18:23:40 |
Message-ID: | 20150217182340.GV6717@tamriel.snowman.net |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
* Jim Nasby (Jim(dot)Nasby(at)BlueTreble(dot)com) wrote:
> On 2/17/15 12:07 PM, Stephen Frost wrote:
> >I agree that it's not the auditing job to stop or control access to
> >data, but it's not so simple to audit the superuser completely. The
> >issue is that even if you have a hard-coded bit in the binary which says
> >"audit everything", a superuser can change the running code to twiddle
> >that bit off, redirect the output of whatever auditing is happening,
> >gain OS-level (eg: shell) access to the system and then make changes to
> >the files under PG directly, etc. Setting a bit in a binary and then
> >not allowing that binary to be unchanged does not actually solve the
> >issue.
>
> If we've allowed a superuser *in the database* that kind of power at
> the OS level then we have a problem. There needs to be *something*
> that a database SU can't do at the OS level, otherwise we'll never
> be able to audit database SU activity.
This isn't a question. The database superuser has essentially OS-level
privileges as the user which PG runs as.
I'm all for coming up with a less powerful superuser and the work I've
been involved in around adding more role attributes is along the lines
to get us there, but I don't think we're ever going to really reduce the
power that the PG superuser has, for a variety of reasons.
Improving the documentation of what a superuser can do and how granting
such access is the same as giving OS shell-level access to the system as
the user that PG runs as would certainly be good.
Thanks,
Stephen
From | Date | Subject | |
---|---|---|---|
Next Message | Jim Nasby | 2015-02-17 18:38:00 | Re: pgaudit - an auditing extension for PostgreSQL |
Previous Message | Jim Nasby | 2015-02-17 18:17:53 | Re: pgaudit - an auditing extension for PostgreSQL |