| From: | Dave Page <dpage(at)pgadmin(dot)org> |
|---|---|
| To: | Mark Mielke <mark(at)mark(dot)mielke(dot)cc> |
| Cc: | Robert Haas <robertmhaas(at)gmail(dot)com>, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Kevin Grittner <Kevin(dot)Grittner(at)wicourts(dot)gov>, Andrew Dunstan <andrew(at)dunslane(dot)net>, Marko Kreen <markokr(at)gmail(dot)com>, Magnus Hagander <magnus(at)hagander(dot)net>, Greg Stark <gsstark(at)mit(dot)edu>, Bruce Momjian <bruce(at)momjian(dot)us>, pgsql-hackers <pgsql-hackers(at)postgresql(dot)org>, mlortiz <mlortiz(at)uci(dot)cu>, Albe Laurenz <laurenz(dot)albe(at)wien(dot)gv(dot)at> |
| Subject: | Re: Rejecting weak passwords |
| Date: | 2009-10-15 18:54:24 |
| Message-ID: | 937d27e10910151154t752043bcm5c203d9b7a8ad7cf@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Thu, Oct 15, 2009 at 7:22 PM, Mark Mielke <mark(at)mark(dot)mielke(dot)cc> wrote:
> It depends on what your goal is. If your goal is to treat users as monkeys
> that you do not trust, even with their own password, and the DBA as God, who
> you absolutely do trust, than you are correct.
>
> I don't know about your company - but in my company, the DBAs are in the IT
> department, and they really have no business knowing my password, which
> would give them access to my employee records, and my authorization
> capabilities. For any company that requires security, I do not accept that
> we can "trust the DBA". The database is just one small component in a much
> larger solution. The DBA is the monkey for a minor backend application, and
> the designers are the people earning money for the corporation. We have the
> exact opposite of what you are suggesting. A person can get access to much
> more data by logging in as the user on their *desktop* than by accessing
> some database directly.
You have no choice but to trust the DBA (or sysadmin) if you use
PostgreSQL's built in authentication. Just set a pg_hba.conf line to
'password' and start harvesting passwords.
> I think you are missing that security is a balance. Your dig at ignorant
> people who do JS-based browser side checks of input is not applicable. You
> are exchanging one type of security for another type of security. You think
> that your proposed type of security is more valid than my proposed type of
> security. It depends on the application. Sometimes you might be right. Other
> times, you have arguably made things worse. Any company that truly needs
> security of this sort - should not be using PostgreSQL based roles with
> passwords for authentication. The true value of your proposal is pretty
> limited.
I never said it wasn't - in fact I said from the outset it was about
box-checking, and that anyone doing things properly will use
LDAP/SSPI/Kerberos etc.
What I did say, was that my proposed GUC doesn't allow the DBA to do
anything that he cannot already do in a much easier way, per the
comment above.
Anyway, as noted in the message you quoted, the current proposal will
allow my colleagues to check boxes, and will be implemented in a
sensible way on the server side. And it's entirely confined to a
plugin, so if you trust all your users, there's no need for you to
load it at all.
--
Dave Page
EnterpriseDB UK: http://www.enterprisedb.com
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Alvaro Herrera | 2009-10-15 21:15:52 | inefficient use of relation extension? |
| Previous Message | Mark Mielke | 2009-10-15 18:22:20 | Re: Rejecting weak passwords |