Обсуждение: Is there any such thing as PostgreSQL security on a hosted website?
(I know cross-posting is evil, but I'm not getting any responses over on the .novice newsgroup, and I feel this is an important topic that needs attention. Apologies in advance...) Summary: What is to stop a company that is hosting my PostgreSQL-enabled website from changing my pg_hba.conf file to "TRUST" so that they can go in and snoop around my online PostgreSQL databases? Detail: My website is currently being hosted by a company that includes 10 PostgreSQL databases, but they do not allow me superuser access (the hosting company issues me a PostgreSQL userid/password that does not have "CREATEDB" privileges) and I am also on a shared instance of PostgreSQL with other users (I can see their userids from the phpPgAdmin tool). This seemed like an obvious security breach, so I looked into another website hosting company that offers a private instance of PostgreSQL, but they still want to have superuser access to my databases so that they can do things like vacuum the database. They're willing to forgo superuser access for themselves if I agree to pay for any support costs that occur because they *don't* have such access, but what is to stop them from altering the settings in pg_hba.conf to "TRUST" so that they can go in and snoop around my databases anyway? The answer is, there's **nothing** to stop them from doing that, right? Unless I am completely missing something, this "TRUST" setting seems to be a gaping maw of a security hole. And if that's true, there really isn't any point in denying the new website host superuser access rights, correct? And if THAT's true, I really can't use PostgreSQL for anything private or sensitive (e.g., storing customer credit card information), correct? Thanks...
Don't know enough to answer Q, but I do know that Verio and presumably other ISPs provide postgres support WITH root privileges. In the end though, unless you host on your own server, your ISP has complete control anyway. On Friday 26 July 2002 1:06 pm, you wrote: > (I know cross-posting is evil, but I'm not getting any responses over on > the .novice newsgroup, and I feel this is an important topic that needs > attention. Apologies in advance...) > > Summary: > > What is to stop a company that is hosting my > PostgreSQL-enabled website from changing my > pg_hba.conf file to "TRUST" so that they can go in and > snoop around my online PostgreSQL databases?
Scott Gammans sez: } (I know cross-posting is evil, but I'm not getting any responses over on the } .novice newsgroup, and I feel this is an important topic that needs } attention. Apologies in advance...) } } Summary: } } What is to stop a company that is hosting my } PostgreSQL-enabled website from changing my } pg_hba.conf file to "TRUST" so that they can go in and } snoop around my online PostgreSQL databases? [...] } Unless I am completely missing something, this "TRUST" } setting seems to be a gaping maw of a security hole. } And if that's true, there really isn't any point in } denying the new website host superuser access rights, } correct? And if THAT's true, I really can't use } PostgreSQL for anything private or sensitive (e.g., } storing customer credit card information), correct? You cannot expect to have a secure database on an insecure system. Period. If you don't trust the people who have root access to the machine hosting your database, you can't trust the database. A possible workaround is to have your database on another (trusted) system which only accepts TCP connections from localhost and use a socket forwarded by ssh to make that database available on the untrusted system. Of course, you can't trust the untrusted system not to grab the password for the postgres user you are using since they can always hack ssh and/or sshd. Ultimately, if you don't trust your sysadmins then you need to look into different sysadmins. Nothing can be secured if the people with physical access to the system can't be trusted. } Thanks... --Greg
hi scott, in my opinion, if you really want to have security, you can't run a database in a shared environment. you should think about setting up a dedicated machine. even if there was no way to set the pg_hba.conf to TRUST, they could easily copy the whole db-root to a different machine and change the permission-settings there. your data isn't save at all, as long as anyone else has a root-pw to alter/copy/read the files. Mit freundlichem Gruß Henrik Steffen Geschäftsführer top concepts Internetmarketing GmbH Am Steinkamp 7 - D-21684 Stade - Germany -------------------------------------------------------- http://www.topconcepts.com Tel. +49 4141 991230 mail: steffen@topconcepts.com Fax. +49 4141 991233 -------------------------------------------------------- 24h-Support Hotline: +49 1908 34697 (EUR 1.86/Min,topc) -------------------------------------------------------- System-Partner gesucht: http://www.franchise.city-map.de -------------------------------------------------------- Handelsregister: AG Stade HRB 5811 - UstId: DE 213645563 -------------------------------------------------------- ----- Original Message ----- From: "Scott Gammans" <nospam_deepgloat@yahoo.com> To: <pgsql-general@postgresql.org> Sent: Friday, July 26, 2002 3:06 PM Subject: [GENERAL] Is there any such thing as PostgreSQL security on a hosted website? > (I know cross-posting is evil, but I'm not getting any responses over on the > .novice newsgroup, and I feel this is an important topic that needs > attention. Apologies in advance...) > > Summary: > > What is to stop a company that is hosting my > PostgreSQL-enabled website from changing my > pg_hba.conf file to "TRUST" so that they can go in and > snoop around my online PostgreSQL databases? > > Detail: > > My website is currently being hosted by a company that > includes 10 PostgreSQL databases, but they do not > allow me superuser access (the hosting company issues > me a PostgreSQL userid/password that does not have > "CREATEDB" privileges) and I am also on a shared > instance of PostgreSQL with other users (I can see > their userids from the phpPgAdmin tool). > > This seemed like an obvious security breach, so I > looked into another website hosting company that > offers a private instance of PostgreSQL, but they > still want to have superuser access to my databases so > that they can do things like vacuum the database. > They're willing to forgo superuser access for > themselves if I agree to pay for any support costs > that occur because they *don't* have such access, but > what is to stop them from altering the settings in > pg_hba.conf to "TRUST" so that they can go in and > snoop around my databases anyway? The answer is, > there's **nothing** to stop them from doing that, > right? > > Unless I am completely missing something, this "TRUST" > setting seems to be a gaping maw of a security hole. > And if that's true, there really isn't any point in > denying the new website host superuser access rights, > correct? And if THAT's true, I really can't use > PostgreSQL for anything private or sensitive (e.g., > storing customer credit card information), correct? > > Thanks... > > > > > > > ---------------------------(end of broadcast)--------------------------- > TIP 4: Don't 'kill -9' the postmaster
On Friday 26 Jul 2002 2:06 pm, Scott Gammans wrote: > (I know cross-posting is evil, but I'm not getting any responses over on > the .novice newsgroup, and I feel this is an important topic that needs > attention. Apologies in advance...) > > Summary: > > What is to stop a company that is hosting my > PostgreSQL-enabled website from changing my > pg_hba.conf file to "TRUST" so that they can go in and > snoop around my online PostgreSQL databases? Your hosting company has root access to the whole server and access to the backup tapes. You have no security from them other than the trust embodied in a business relationship. If you want complete control over a server, have your own server. - Richard Huxton
Scott Gammans wrote: > > What is to stop a company that is hosting my > PostgreSQL-enabled website from changing my > pg_hba.conf file to "TRUST" so that they can go in and > snoop around my online PostgreSQL databases? Nothing. > My website is currently being hosted by a company that > includes 10 PostgreSQL databases, but they do not > allow me superuser access (the hosting company issues > me a PostgreSQL userid/password that does not have > "CREATEDB" privileges) and I am also on a shared > instance of PostgreSQL with other users (I can see > their userids from the phpPgAdmin tool). > > This seemed like an obvious security breach Why? Others can see you, but they can't touch you. The only ones that can touch you are the superusers, i.e. the hosting company. But they can do that anyway since they have physical access to that machine. Jochem
"Scott Gammans" <nospam_deepgloat@yahoo.com> writes: > What is to stop a company that is hosting my > PostgreSQL-enabled website from changing my > pg_hba.conf file to "TRUST" so that they can go in and > snoop around my online PostgreSQL databases? If they have root on the machine running your DBMS, then only their own integrity stops them from snooping all they want. There is NOTHING that Postgres can possibly do to defend itself against a root user. "TRUST" is the least of your worries --- they can alway just examine the physical files holding the database. regards, tom lane