Re: pg_hba.conf alternative

Поиск
Список
Период
Сортировка
От Q Beukes
Тема Re: pg_hba.conf alternative
Дата
Msg-id 43F03E1B.6010201@list.za.net
обсуждение исходный текст
Ответ на Re: pg_hba.conf alternative  (Rick Gigger <rick@alpinenetworking.com>)
Ответы Re: pg_hba.conf alternative  (Tino Wildenhain <tino@wildenhain.de>)
Список pgsql-hackers
Дерево обсуждения 
how? is there some kernel patch to completely to enable you to deny
access to root?
Tino Wildenhain pointed out SELinux has a feature like that.

Rick Gigger wrote:

> But why do they need access to the files in the file system?  Why not 
> put them on the local box but don't give them permissions to edit the 
> pg_hba file?  They should still be able to connect.
>
> On Feb 9, 2006, at 5:56 PM, Q Beukes wrote:
>
>> I did consider that, but the software we use (which again uses 
>> postgresql)
>> atm only supports local connection to the database.
>>
>> I am the database admin, the other admins just manage stuff like user
>> accounts,
>> checking logs, etc...
>>
>> Unfortunately there is no other way to set it up, and like I mentioned
>> government security is not required.
>>
>> I did however statically code the pg_hba.conf file into pg binaries.
>>
>> The only way I found to access the db now would be to replace the 
>> binary
>> and
>> possibly sniffing traffic. But we're not worried about that. They 
>> not really
>> criminally minded people.
>>
>> thx for everyones help anyway ;>
>>
>>
>> korry wrote:
>>
>>>> Why would you not simply set this up on a seperate machine to 
>>>> which only
>>>> the trusted admins had access? Most data centers I am familiar 
>>>> with use
>>>> single purpose machines anyway. If someone is trusted as root on  your
>>>> box they can screw you no matter what you do. Pretending  otherwise is
>>>> just folly.
>>>>
>>>>
>>>
>>> Agreed - that would be a much better (easier and more secure) 
>>> solution where
>>> practical.
>>>
>>>             -- Korry
>>>
>>> ---------------------------(end of 
>>> broadcast)---------------------------
>>> TIP 3: Have you checked our extensive FAQ?
>>>
>>>               http://www.postgresql.org/docs/faq
>>>
>>>
>>>
>>
>>
>> ---------------------------(end of 
>> broadcast)---------------------------
>> TIP 4: Have you searched our list archives?
>>
>>                http://archives.postgresql.org
>>
>
>
> ---------------------------(end of broadcast)---------------------------
> TIP 2: Don't 'kill -9' the postmaster
>

В списке pgsql-hackers по дате отправления:

Предыдущее
От: Tom Lane
Дата:
Сообщение: Re: TODO Item - "Allow INSERT INTO tab (col1, ..) VALUES (val1, ..), (val2, ..)"
Следующее
От: Tino Wildenhain
Дата:
Сообщение: Re: pg_hba.conf alternative