Обсуждение: Can we hide data from the superadmin

Disclaimer :- This e-mail and any attachment may contain confidential, proprietary or legally privileged information. If you are not the origin al intended recipient and have erroneously received this message, you are prohibited from using, copying, altering or disclosing the content of this message. Please delete it immediately and notify the sender. Newgen Software Technologies Ltd (NSTL) accepts no responsibilities for los s or damage arising from the use of the information transmitted by this email including damages from virus and further acknowledges that no bin ding nature of the message shall be implied or assumed unless the sender does so expressly with due authority of NSTL.

2009/12/29 Tarun Sharma <tarun.sharma@newgen.co.in>:
> hi
>
> when a superuser is logged in to the postgres server ,he has priveledge to access all the databases.
>
> can we hide the structure of some of the databases from the superuser?
> like if he gives command to open such a database the postgres may ask for access password again.

You can use pg_hba.comf to lock down which database the superuser can
access. And then have one superuser for each database, or something
like that. But once you're in the database, you have full access.

Which is a good reason to never hand out superuser privileges, yes :-)

-- Magnus HaganderMe: http://www.hagander.net/Work: http://www.redpill-linpro.com/

----- Original Message -----

From: Tarun Sharma

To: pgsql-hackers@postgresql.org

Sent: Tuesday, December 29, 2009 3:56 PM

Subject: Can we hide data from the superadmin

hi

 

when a superuser is logged in to the postgres server ,he has priveledge to access all the databases.

 

can we hide the structure of some of the databases from the superuser?

like if he gives command to open such a database the postgres may ask for access password again. 

 

as in Oracle Database Vault, organizations can pro-actively safeguard application data stored in the Oracle database from being accessed by privileged database users

kindly assist me if there exists any solution for this problem.

 

thanks,

tarun sharma

Disclaimer :- This e-mail and any attachment may contain confidential, proprietary or legally privileged information. If you are not the origin al intended recipient and have erroneously received this message, you are prohibited from using, copying, altering or disclosing the content of this message. Please delete it immediately and notify the sender. Newgen Software Technologies Ltd (NSTL) accepts no responsibilities for los s or damage arising from the use of the information transmitted by this email including damages from virus and further acknowledges that no bin ding nature of the message shall be implied or assumed unless the sender does so expressly with due authority of NSTL.

Tarun Sharma wrote:
> hi,
> 
> i assigned super user privelledge to a user by specifing entries in pg_hba.conf file as 
> 
> host    all    newuser    127.1.1.1 md5
> 
> and the default postgres user is made access to only the default postgres databse and is no more the super user.
> 
> the problem is that this conf file is available to all and can be changed again.

It is only available to all if all is somebody who has superuser access
to the operating system, which is something you should avoid.

If you don't trust your OS superuser, there's nothing you can do.

-- 
Alvaro Herrera                                http://www.CommandPrompt.com/
The PostgreSQL Company - Command Prompt, Inc.