Re: How to have a blind-superuser

From: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
To: "Qingqing Zhou" <zhouqq(at)cs(dot)toronto(dot)edu>
Cc: pgsql-general(at)postgresql(dot)org
Subject: Re: How to have a blind-superuser
Date: 2006-04-25 02:18:51
Message-ID: 8600.1145931531@sss.pgh.pa.us
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-general

"Qingqing Zhou" <zhouqq(at)cs(dot)toronto(dot)edu> writes:
> Basically I wonder if I can have a superuer that he has every priviliges as
> he does now (create language, rotate log files, create checkpoint and
> everything superuser can do) but one thing I want to make sure is that he
> could not see any user data for security reason (just think my database is
> filled with very important UFO data ;-)). In another word, I need a
> superuser be able to maintain database but he know nothing about what in the
> database. Is there a solution for this in PG?

AFAICS this is insoluble anywhere, not just in PG. CREATE LANGUAGE for
instance implies the ability to load arbitrary code into the backend.

If you don't trust your DBA, you could imagine encrypting all your data
on the client side before you store it, though this would for instance
severely limit your ability to search it. But there's no such thing as
a partial superuser: either you have unlimited access privileges or you
don't.

regards, tom lane

In response to

Responses

Browse pgsql-general by date

  From Date Subject
Next Message Tom Lane 2006-04-25 02:34:02 Re: How to close dead connections immediately
Previous Message Qingqing Zhou 2006-04-25 01:31:48 Re: How to have a blind-superuser