On Wed, 2005-10-05 at 09:37, L van der Walt wrote:
> Berend Tober wrote:
>
> > L van der Walt wrote:
> >
> >> I would like to secure Postgres completly.
> >>
> >> Some issues that I don't know you to fix:
> >> 1. User postgres can use psql (...) to do anything.
> >> 2. User root can su to postgres and thus do anything.
> >> 3. Disable all tools like pg_dump
> >>
> >> How do I secure a database if I don't trust the administrators.
> >> The administrator will not break the db but they may not view
> >> any information in the databse.
> >
> >
> > It may be just me and my silly old-fashion attitudes, but I kind of
> > think that if your sys admin(s) cannot be trusted, you are pretty much
> > screwed. And your hiring process needs fixing,
> >
> > But being that as it may, maintaining physical security, i.e., keeping
> > the host server in a locked room with restricted and recorded access
> > and that requires at least two persons present so that collusion is
> > required for tampering, disabling remote root login, granting limited
> > sys admin privileges with sudo (which records the sudoer activities,
> > for auditing purposes) might be a way to accomplish what you are
> > looking for.
> >
> >
> >
> Then, I might as well just leave the whole PostgreSQL DB and write my
> own mini DB with encrypted XML files. I am sure someone must have an
> answer for me.
And it still won't be secure, because whoever has administrator / root
access can copy all the files off, including the encryption keys, and
then get access that way.
This is an interesting thread, but ultimately it's a discussion about
angels dancing on the head of a pin. If someone can log in as root,
they can get access to the data.
If you break the encryption out so that the data is encrypted before it
gets to the database, then that data is secure from the administrator of
the db machine, but now vulnerable to the administrator of the middle
tier machine doing the encryption.
Trying to implement security procedures to reduce root's access are
ultimately futile, no matter how much code you throw at the problem.