| From: | Stephen Frost <sfrost(at)snowman(dot)net> |
|---|---|
| To: | Gaurav Tomar <gauravtomar14(at)gmail(dot)com> |
| Cc: | pgsql-sql(at)postgresql(dot)org |
| Subject: | Re: RLS for superuser |
| Date: | 2016-12-08 13:54:00 |
| Message-ID: | 20161208135359.GB23417@tamriel.snowman.net |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-sql |
Greetings,
* Gaurav Tomar (gauravtomar14(at)gmail(dot)com) wrote:
> We are developing an application which will connect to the PostgreSQL 9.5
> at backend.
> We do not want any DB role/user including superuser to access the table
> data from the backend, only if the user is logging in from the application
> can see the data.
Superuser can bypass all security through other means (consider the
pageinspect extension, which allows direct reading of any page in the
database, or the pg_read_file() function which allows reading of whole
files directly, and there are many more ways).
> To achieve this we have created policies and enable RLS on the tables. By
> enabling the RLS and creating policies we are able to restrict all the DB
> user/role including table owner of the table but not able to restrict
> superuser.
The table owner will always be able to disable RLS on the table, or to
drop and recreate the table. I'm not sure how you feel that's
"restricting" the table owner, because it really isn't.
Leveraging SELinux and similar technologies is an approach to being
able to limit what a PG superuser could do, but that doesn't seem like
what you're looking for here.
Thanks!
Stephen
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Gary Stainburn | 2016-12-16 11:02:37 | simple "select / if found" isn't |
| Previous Message | MS (direkt) | 2016-12-08 07:38:34 | Re: RLS for superuser |