| From: | Andrew Dunstan <andrew(at)dunslane(dot)net> |
|---|---|
| To: | Q Beukes <pgsql-dev(at)list(dot)za(dot)net> |
| Cc: | Postgresql Dev <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: pg_hba.conf alternative |
| Date: | 2006-02-08 13:32:23 |
| Message-ID: | 43E9F2E7.5090100@dunslane.net |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Q Beukes wrote:
>Hello,
>
>Is there not some other alternative to pg_hba.conf?
>
>I have the problem where the system administrators at our company
>obviously have access to the whole filesystem, and our database records
>needs to be hidden even from them.
>
>With pg_hba.conf that is not possible, as they just change all the conf
>lines to "trust" auth and viola they have access to the database without
>passwords.
>
>Is there a more secure alternative to this? The perfect scenario being
>to deny everyone include "root" access to a database without a password.
>
>
>
>
This is an illusion, as plenty of security experts will tell you.
Password auth is a losing game for high security in the first place. So
this comment shows that you haven't thought this out properly.
If you want the data hidden from system administrators, you need to have
the client encrypt it before storing it. Of course, that will have
massive implications for your application.
There are no simple solutions. See here for why:
http://www.acm.org/classics/sep95/
cheers
andrew
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Mark Woodward | 2006-02-08 13:53:25 | Re: pg_hba.conf alternative |
| Previous Message | Martijn van Oosterhout | 2006-02-08 12:57:46 | Re: sql row constructor...works! |