Re: Security question : Database access control
От | Rod Taylor |
---|---|
Тема | Re: Security question : Database access control |
Дата | |
Msg-id | 1035300393.25823.23.camel@jester обсуждение исходный текст |
Ответ на | Re: Security question : Database access control ("Igor Georgiev" <gory@alphasoft-bg.com>) |
Список | pgsql-hackers |
On Tue, 2002-10-22 at 12:12, Igor Georgiev wrote: > > > edit *pg_hba.conf * > > > # Allow any user on the local system to connect to any > > > # database under any username, but only via an IP connection: > > > host all 127.0.0.1 255.255.255.255 trust > > > # The same, over Unix-socket connections: > > > local all trust > > what about reading pg_hba.conf comments? > > local all md5 > > > > Ok, but my question actually isn't about pg_hba.conf comments, i read enough > but what will stop root from adding this lines or doing su - postgres ?? Next your going to ask what will stop root from stopping your PostgreSQL, compiling a second copy with authentication disabled and using your data directory as it's source :) If you want to prevent root from accomplishing these things, you're going to have to look to your kernel for help. The kernel must prevent root from changing users, starting / stopping applications, or touching certain filesystems. PostgreSQL will let you put a password on the data. But that only works if they actually try to use PostgreSQL to get at the data. There are a couple of tools which were designed to recover database data while the db is not running. -- Rod Taylor
В списке pgsql-hackers по дате отправления: