Re: Required permissions for data directory

From: "Joshua D(dot) Drake" <jd(at)commandprompt(dot)com>
To: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
Cc: pgsql-hackers(at)postgresql(dot)org
Subject: Re: Required permissions for data directory
Date: 2004-10-12 19:53:35
Message-ID: 416C363F.2090503@commandprompt.com
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

Tom Lane wrote:
> "Joshua D. Drake" <jd(at)commandprompt(dot)com> writes:
>
>>Tom Lane wrote:
>>
>>>Being able to edit postgresql.conf gives one the ability to become
>>>postgres (hint: you can cause the backend to load a shlib of your
>>>choosing, or even more trivially, adjust pg_hba.conf to let you in
>>>as superuser), so the above distinction is unenforceable.
>
>
>>Again, the responsibility of the administrator for the system.
>
>
> How so? The point is that there is *no such thing* as giving someone
> config edit permissions without thereby implicitly trusting them with
> the keys to the city.

Well that isn't entirely true. Yes, you are obviously correct in that if
I give a user the ability to edit the pg_hba.conf file -- that user has
the ability to become a superuser for PostgreSQL and completely screw my
database.

That is what lawyers are for.

However, it is also true that by having the ability to give say a tier2
the ability to edit the postgresql.conf withough the ability to log in
as postgres or root, then that user can not stop/start the database, or
have root access. They can however, allow another IP, user, network access.

I can also put other items in place that detect a change in those files
fairly easily. Which means if there isn't a work order stating change
this file, then a tier3 is notified.

If you trust them that much, you may as well let
> them su to postgres. There is no point in using group membership as a
> substitute.

I disagree. I trust my tier1 to make a change to the conf file and let
me know the changes are done and ready for review. I do not trust my
tier1 to arbitrarily turn on logging, blow the config, restart
postgresql and have it not start up because of the error....

Allowing that tier1 to su to postgres gives them that capability.

Sincerely,

Joshua D. Drake

>
> regards, tom lane

--
Command Prompt, Inc., home of PostgreSQL Replication, and plPHP.
Postgresql support, programming shared hosting and dedicated hosting.
+1-503-667-4564 - jd(at)commandprompt(dot)com - http://www.commandprompt.com
Mammoth PostgreSQL Replicator. Integrated Replication for PostgreSQL

Attachment Content-Type Size
jd.vcf text/x-vcard 640 bytes

In response to

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message Josh Berkus 2004-10-12 20:04:22 Re: plans for bitmap indexes?
Previous Message Dann Corbit 2004-10-12 19:50:38 Re: Cannot build latest snapshot under Mingw