Well, someone I can wholeheartedly agree with. So it really does not
matter who owns the binaries. Once the right account gets hacked your
had. If they hack root your dead, if they hack postgres the database is
had although the server may survive. In either case the state of your
backups is your saving grace or doom.
Dick Goulet
Senior Oracle DBA
Oracle Certified 8i DBA
-----Original Message-----
From: Uwe C. Schroeder [mailto:uwe@oss4u.com]
Sent: Thursday, January 13, 2005 4:14 PM
To: PostgreSQL Admin
Subject: Re: [ADMIN] Installing PostgreSQL as "postgress" versus "root"
Debate!
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Thursday 13 January 2005 10:52 am, Goulet, Dick wrote:
> Doug,
>
> OK, Assume that the binaries are installed under root, but a
> hacker cracks PostGres, what is to stop him/her from trashing all of
the
> database files in the first place? Their not owned by root.
Installing
> malware, whether it's actual code or destroying/defacing files causes
> similar if not identical problems. At least their restricted to the
> postgres user. And in my book the executables are of zero value
whereas
> the data files, and their contained data, are of infinite value. So
> under your scheme we're protecting the least valuable part of the
> system at the expense of the most valuable.
So where is the difference? If all executables AND the data is under the
postgres account - an intruder hacking the postgres account would still
be
able to destroy your data.
BTW: most commercial software needs root access to be installed - and be
it
just to create the user accounts. It doesn't really matter who owns the
executables - if the account owning the files is hacked you're screwed
anyways. When it comes to protecting the data which is the most
important
thing after all, replication and backup are your friends. For my larger
customers I'm running replication to two offsite servers (one
east-coast, one
texas, just to make sure they're fine when the next earthquake hits) and
I do
backups every 8 hours - which are written to a tape and distributed to
another set of offsite servers using rdist. So whatever happens the max
they
could ever possibly lose is 8 hours, except there is a full blown
nuclear
attack on the whole US - in which case nobody would care about the data
anyways.