Re: Securing Postgres

Uh. Unless you've done something more than what you say, a windows
administrator can definitely access the data. Maybe most windows
"administrators" don't know how to do it, but it is possible.

I've viewed and changed data on a database on Windows without the database
administrator username and password. I did it to patch a bug in some
software that stored its programs/scripts in a database - we didn't want to
wait for the vendor to fix it. All I needed was a hexeditor and read/write
access to the necessary files - and a bit of luck - fortunately there was
"room" in the code to do the edits. You can't do "inserts/adds" - you can
only overwrite data.

You could make things a bit harder if you have access to a B level trusted
O/S.

But if your "administrators" only need to do a few things you can trust
them with, you might be able to get away with using disk/partition
encryption and sudo or some wrapper scripts for those few things. You then
get the passwords/keys to mount the encrypted partitions/disks remotely via
a secured encrypted channel e.g. ssh or SSL (make sure you check the certs
;) ).

[1] If you have physical access you can have a boot CD that resets the
admin password, but if you don't want to do that, you can always use
Knoppix or something with the necessary NTFS support to read and write the
data. Encryption helps make such things harder, but at some point the keys
to decrypt stuff need to be present so that things can be used - symmetric
encryption is typically used for performance reasons.

Most crypto stuff ends up being some "thingy" that encrypts/decrypts a
small symmetric crypto key, which then in theory can be accessible by a
resourceful person with "root" or "admin".

At 04:31 PM 10/5/2005 +0200, L van der Walt wrote:

>Example:  On a MS Windows Server with MS SQL Server.  The administrator
>with the administrator username and password can not access the SQL server
>data.  He also needs the SA username and password for the SQL server to do
>so.  He can stop and start the server and so on but not access the data.
>
>How do I secure a system in the same way with Linux and PostgreSQL.
>
>Richard Huxton wrote:
>
>>L van der Walt wrote:
>>
>>>I would like to secure Postgres completly.
>>>
>>>Some issues that I don't know you to fix:
>>>1.  User postgres can use psql (...) to do anything.
>>
>>
>>
>>Prevent anyone from logging in as user postgres.
>>Remove psql.
>>
>>>2.  User root can su to postgres and thus do anything.
>>
>>
>>
>>That's the root user - it is supposed to be able to do what it likes.
>>
>>>3. Disable all tools like pg_dump
>>
>>
>>
>>You can delete the executables, but that's not going to stop people
>>running their own version if they can connect.
>>
>>>How do I secure a database if I don't trust the administrators.
>>>The administrator will not break the db but they may not view
>>>any information in the databse.
>>
>>
>>
>>If you don't trust the administrators of the machine, there's nothing you
>>can do if they have physical access to it. They'll always be able to work
>>around anything you can do.
>>
>>Can you say more about the situation - it might be someone has been in a
>>similar situation themselves?
>>--
>>   Richard Huxton
>>   Archonet Ltd
>>
>
>
>
>
>---------------------------(end of broadcast)---------------------------
>TIP 5: don't forget to increase your free space map settings
>