"Goulet, Dick" <DGoulet@vicr.com> writes:
> OK, Assume that the binaries are installed under root, but a
> hacker cracks PostGres, what is to stop him/her from trashing all of the
> database files in the first place? Their not owned by root. Installing
> malware, whether it's actual code or destroying/defacing files causes
> similar if not identical problems. At least their restricted to the
> postgres user. And in my book the executables are of zero value whereas
> the data files, and their contained data, are of infinite value. So
> under your scheme we're protecting the least valuable part of the
> system at the expense of the most valuable.
OK, suppose that I follow your suggestion. Assume that the binaries
are installed under postgres, but a hacker cracks postgres. What is
to stop him/her from trashing all the database files in the first
place? (Nothing.) How is this different than the traditional
installation where the binaries are owned by root? (It isn't, it's
exactly the same.) The answer to your question doesn't provide any
distinction between the traditional installation and the installation
you prefer. The risks to the data are identical either way, but the
risk of a trojan is less for a traditional installation than for your
installation.
Malware isn't restricted to the postgres user if any postgres binary
is ever invoked by any user other than postgres. This might happen
with psql, for example. Even if it were restricted to the postgres
user, malware might still be used to collect unencrypted passwords.
This problem is not identical to the dangers faced by losing data.
It's data loss plus an extra worry.
I agree that data security is a much bigger concern than the threat of
trojaned Postgresql binaries. You are wrong, however, to think that
you gain any security by having Postgresql binaries owned by a user
other than root. It can be convenient to install without requiring
root authority, but this convenience comes at a cost. This cost is
small enough so that you may be comfortable paying it, but you should
at least correctly understand the tradeoffs involved.