| From: | Greg Stark <gsstark(at)mit(dot)edu> |
|---|---|
| To: | pgsql-hackers(at)postgresql(dot)org |
| Subject: | Re: Required permissions for data directory |
| Date: | 2004-10-12 21:18:20 |
| Message-ID: | 87r7o3zlcz.fsf@stark.xeocode.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
"Joshua D. Drake" <jd(at)commandprompt(dot)com> writes:
> However, it is also true that by having the ability to give say a tier2 the
> ability to edit the postgresql.conf withough the ability to log in as postgres
> or root, then that user can not stop/start the database, or have root access.
> They can however, allow another IP, user, network access.
What about in my case where it's not that I don't have permission to log in as
postgres it's just that I consider it a pain. It means I can't open files in
my own editor and other tools easily, I have to start up a separate login and
use separate tools.
Or sites where as a matter of policy DBAs and system administrators are
supposed to use their own accounts, not because they couldn't break into the
systems if they chose to, but because it's just better policy.
In general the more often people have to authenticate as root (or postgres in
this case) the more easily it can be compromised, and the less useful audit
records are. ("hm, was this root login a compromise or was it just the 69th
normal root login that day?")
I can understand checking for "anyone" privilege on the basis that that would
never make sense. But checking for "group" access always struck me as dumb. It
assumes the sysadmin is shooting himself in the foot just because he might be.
--
greg
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Andreas Pflug | 2004-10-12 21:59:31 | Re: Required permissions for data directory |
| Previous Message | Tom Lane | 2004-10-12 21:10:42 | Re: plans for bitmap indexes? |