You could look at what SELinux extensions now available in at least the Red
Hat (and Fedora) distro offer. I have never done anything with SELinux,
and a quick review of the archives indicates it is not a slam dunk to use.
It is designed to create the kind of restrictive environment you describe.
Without the physical security Berend describes, any other security measures
are illusions. All other security measures are easily broken by
alternating boot drives, as an example. I carry a multitool on my
keychain.
Rick
pgsql-general-owner@postgresql.org wrote on 10/05/2005 09:23:58 AM:
> L van der Walt wrote:
>
> > I would like to secure Postgres completly.
> >
> > Some issues that I don't know you to fix:
> > 1. User postgres can use psql (...) to do anything.
> > 2. User root can su to postgres and thus do anything.
> > 3. Disable all tools like pg_dump
> >
> > How do I secure a database if I don't trust the administrators.
> > The administrator will not break the db but they may not view
> > any information in the databse.
>
> It may be just me and my silly old-fashion attitudes, but I kind of
> think that if your sys admin(s) cannot be trusted, you are pretty much
> screwed. And your hiring process needs fixing,
>
> But being that as it may, maintaining physical security, i.e., keeping
> the host server in a locked room with restricted and recorded access and
> that requires at least two persons present so that collusion is required
> for tampering, disabling remote root login, granting limited sys admin
> privileges with sudo (which records the sudoer activities, for auditing
> purposes) might be a way to accomplish what you are looking for.
>
>
> ---------------------------(end of broadcast)---------------------------
> TIP 1: if posting/reading through Usenet, please send an appropriate
> subscribe-nomail command to majordomo@postgresql.org so that your
> message can get through to the mailing list cleanly