Re: How to revoke privileged from PostgreSQL's superuser

On Wed, Aug 15, 2018 at 09:05:51AM -0700, Evan Rempel wrote:
> At the end of the day someone has full access and control and can do anything without auditing database statements.
>
> For instance, as the root user on the server, I can do:
>
> - shutdown the server database
> - copy the entire DB filespace to my workstation
> - change the workstation config for no logging/auditing
> - start the workstation Database
> - make all the changes I want at the workstation.
> - stop the workstation database
> - copy all of the files back to the server
> - start the server Database.
>
> no logging of any kind and all of the data would be suspect.

Well, that is an intersting attack, and I don't think it requires root
--- all it requires is access to the Postgres data directory. Frankly,
I don't know if there is a way to prevent the Postgres superuser from
silently disabling logging because the _data_ is fully under the control
of the Postgres superuser.

--
Bruce Momjian <bruce(at)momjian(dot)us> http://momjian.us
EnterpriseDB http://enterprisedb.com

+ As you are, so once was I. As I am, so you will be. +
+ Ancient Roman grave inscription +