On Thu, 2005-01-13 at 15:13, Uwe C. Schroeder wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On Thursday 13 January 2005 10:52 am, Goulet, Dick wrote:
> > Doug,
> >
> > OK, Assume that the binaries are installed under root, but a
> > hacker cracks PostGres, what is to stop him/her from trashing all of the
> > database files in the first place? Their not owned by root. Installing
> > malware, whether it's actual code or destroying/defacing files causes
> > similar if not identical problems. At least their restricted to the
> > postgres user. And in my book the executables are of zero value whereas
> > the data files, and their contained data, are of infinite value. So
> > under your scheme we're protecting the least valuable part of the
> > system at the expense of the most valuable.
>
> So where is the difference? If all executables AND the data is under the
> postgres account - an intruder hacking the postgres account would still be
> able to destroy your data.
> BTW: most commercial software needs root access to be installed - and be it
> just to create the user accounts. It doesn't really matter who owns the
> executables - if the account owning the files is hacked you're screwed
> anyways. When it comes to protecting the data which is the most important
> thing after all, replication and backup are your friends. For my larger
> customers I'm running replication to two offsite servers (one east-coast, one
> texas, just to make sure they're fine when the next earthquake hits) and I do
> backups every 8 hours - which are written to a tape and distributed to
> another set of offsite servers using rdist. So whatever happens the max they
> could ever possibly lose is 8 hours, except there is a full blown nuclear
> attack on the whole US - in which case nobody would care about the data
> anyways.
Like someone pointed out, it might be quite possible to install a
trojaned psql executable or some equivalent to harvest passwords, or
even a version that when executed by root on accident (i.e. the sysadmin
forgets he's logged in as root and runs psql) which then installs a root
kit.
Also, it might make it easier for a hacker to cover his tracks if he can
write to the postgresql binaries.