| From: | Jim Nasby <Jim(dot)Nasby(at)BlueTreble(dot)com> |
|---|---|
| To: | Stephen Frost <sfrost(at)snowman(dot)net> |
| Cc: | Neil Tiffin <neilt(at)neiltiffin(dot)com>, Yeb Havinga <yebhavinga(at)gmail(dot)com>, Robert Haas <robertmhaas(at)gmail(dot)com>, Abhijit Menon-Sen <ams(at)2ndquadrant(dot)com>, Michael Paquier <michael(dot)paquier(at)gmail(dot)com>, Simon Riggs <simon(at)2ndquadrant(dot)com>, MauMau <maumau307(at)gmail(dot)com>, "pgsql-hackers(at)postgresql(dot)org" <pgsql-hackers(at)postgresql(dot)org>, Fabrízio de Royes Mello <fabriziomello(at)gmail(dot)com>, "Tom Lane" <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Bruce Momjian <bruce(at)momjian(dot)us>, Fujii Masao <masao(dot)fujii(at)gmail(dot)com>, Ian Barwick <ian(at)2ndquadrant(dot)com> |
| Subject: | Re: pgaudit - an auditing extension for PostgreSQL |
| Date: | 2015-02-17 18:38:00 |
| Message-ID: | 54E38A88.5030607@BlueTreble.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On 2/17/15 12:23 PM, Stephen Frost wrote:
> * Jim Nasby (Jim(dot)Nasby(at)BlueTreble(dot)com) wrote:
>> On 2/17/15 12:07 PM, Stephen Frost wrote:
>>> I agree that it's not the auditing job to stop or control access to
>>> data, but it's not so simple to audit the superuser completely. The
>>> issue is that even if you have a hard-coded bit in the binary which says
>>> "audit everything", a superuser can change the running code to twiddle
>>> that bit off, redirect the output of whatever auditing is happening,
>>> gain OS-level (eg: shell) access to the system and then make changes to
>>> the files under PG directly, etc. Setting a bit in a binary and then
>>> not allowing that binary to be unchanged does not actually solve the
>>> issue.
>>
>> If we've allowed a superuser *in the database* that kind of power at
>> the OS level then we have a problem. There needs to be *something*
>> that a database SU can't do at the OS level, otherwise we'll never
>> be able to audit database SU activity.
>
> This isn't a question. The database superuser has essentially OS-level
> privileges as the user which PG runs as.
>
> I'm all for coming up with a less powerful superuser and the work I've
> been involved in around adding more role attributes is along the lines
> to get us there, but I don't think we're ever going to really reduce the
> power that the PG superuser has, for a variety of reasons.
>
> Improving the documentation of what a superuser can do and how granting
> such access is the same as giving OS shell-level access to the system as
> the user that PG runs as would certainly be good.
It certainly would. I'm honestly not totally clear on what all the holes
are.
We may need to bite the bullet and allow changing the user that the
postgres process runs under so it doesn't match who owns the files.
Maybe there's a way to allow that other than having the process start as
root.
Or maybe there's some other way we could restrict what a DB superuser
can do in the shell.
--
Jim Nasby, Data Architect, Blue Treble Consulting
Data in Trouble? Get it in Treble! http://BlueTreble.com
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Stephen Frost | 2015-02-17 18:50:59 | Re: pgaudit - an auditing extension for PostgreSQL |
| Previous Message | Stephen Frost | 2015-02-17 18:23:40 | Re: pgaudit - an auditing extension for PostgreSQL |