From: | "Joshua D(dot) Drake" <jd(at)commandprompt(dot)com> |
---|---|
To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
Cc: | pgsql-hackers(at)postgresql(dot)org |
Subject: | Re: Required permissions for data directory |
Date: | 2004-10-12 19:53:35 |
Message-ID: | 416C363F.2090503@commandprompt.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
Tom Lane wrote:
> "Joshua D. Drake" <jd(at)commandprompt(dot)com> writes:
>
>>Tom Lane wrote:
>>
>>>Being able to edit postgresql.conf gives one the ability to become
>>>postgres (hint: you can cause the backend to load a shlib of your
>>>choosing, or even more trivially, adjust pg_hba.conf to let you in
>>>as superuser), so the above distinction is unenforceable.
>
>
>>Again, the responsibility of the administrator for the system.
>
>
> How so? The point is that there is *no such thing* as giving someone
> config edit permissions without thereby implicitly trusting them with
> the keys to the city.
Well that isn't entirely true. Yes, you are obviously correct in that if
I give a user the ability to edit the pg_hba.conf file -- that user has
the ability to become a superuser for PostgreSQL and completely screw my
database.
That is what lawyers are for.
However, it is also true that by having the ability to give say a tier2
the ability to edit the postgresql.conf withough the ability to log in
as postgres or root, then that user can not stop/start the database, or
have root access. They can however, allow another IP, user, network access.
I can also put other items in place that detect a change in those files
fairly easily. Which means if there isn't a work order stating change
this file, then a tier3 is notified.
If you trust them that much, you may as well let
> them su to postgres. There is no point in using group membership as a
> substitute.
I disagree. I trust my tier1 to make a change to the conf file and let
me know the changes are done and ready for review. I do not trust my
tier1 to arbitrarily turn on logging, blow the config, restart
postgresql and have it not start up because of the error....
Allowing that tier1 to su to postgres gives them that capability.
Sincerely,
Joshua D. Drake
>
> regards, tom lane
--
Command Prompt, Inc., home of PostgreSQL Replication, and plPHP.
Postgresql support, programming shared hosting and dedicated hosting.
+1-503-667-4564 - jd(at)commandprompt(dot)com - http://www.commandprompt.com
Mammoth PostgreSQL Replicator. Integrated Replication for PostgreSQL
Attachment | Content-Type | Size |
---|---|---|
jd.vcf | text/x-vcard | 640 bytes |
From | Date | Subject | |
---|---|---|---|
Next Message | Josh Berkus | 2004-10-12 20:04:22 | Re: plans for bitmap indexes? |
Previous Message | Dann Corbit | 2004-10-12 19:50:38 | Re: Cannot build latest snapshot under Mingw |