Re: Is there any such thing as PostgreSQL security on a hosted website?

(I know cross-posting is evil, but I'm not getting any responses over on the
.novice newsgroup, and I feel this is an important topic that needs
attention. Apologies in advance...)

Summary:

What is to stop a company that is hosting my
PostgreSQL-enabled website from changing my
pg_hba.conf file to "TRUST" so that they can go in and
snoop around my online PostgreSQL databases?

Detail:

My website is currently being hosted by a company that
includes 10 PostgreSQL databases, but they do not
allow me superuser access (the hosting company issues
me a PostgreSQL userid/password that does not have
"CREATEDB" privileges) and I am also on a shared
instance of PostgreSQL with other users (I can see
their userids from the phpPgAdmin tool).

This seemed like an obvious security breach, so I
looked into another website hosting company that
offers a private instance of PostgreSQL, but they
still want to have superuser access to my databases so
that they can do things like vacuum the database.
They're willing to forgo superuser access for
themselves if I agree to pay for any support costs
that occur because they *don't* have such access, but
what is to stop them from altering the settings in
pg_hba.conf to "TRUST" so that they can go in and
snoop around my databases anyway? The answer is,
there's **nothing** to stop them from doing that,
right?

Unless I am completely missing something, this "TRUST"
setting seems to be a gaping maw of a security hole.
And if that's true, there really isn't any point in
denying the new website host superuser access rights,
correct? And if THAT's true, I really can't use
PostgreSQL for anything private or sensitive (e.g.,
storing customer credit card information), correct?

Thanks...

On Friday 26 Jul 2002 2:06 pm, Scott Gammans wrote:
> (I know cross-posting is evil, but I'm not getting any responses over on
> the .novice newsgroup, and I feel this is an important topic that needs
> attention. Apologies in advance...)
>
> Summary:
>
> What is to stop a company that is hosting my
> PostgreSQL-enabled website from changing my
> pg_hba.conf file to "TRUST" so that they can go in and
> snoop around my online PostgreSQL databases?

Your hosting company has root access to the whole server and access to the
backup tapes. You have no security from them other than the trust embodied in
a business relationship.

If you want complete control over a server, have your own server.

- Richard Huxton

Scott Gammans sez:
} (I know cross-posting is evil, but I'm not getting any responses over on the
} .novice newsgroup, and I feel this is an important topic that needs
} attention. Apologies in advance...)
}
} Summary:
}
} What is to stop a company that is hosting my
} PostgreSQL-enabled website from changing my
} pg_hba.conf file to "TRUST" so that they can go in and
} snoop around my online PostgreSQL databases?
[...]
} Unless I am completely missing something, this "TRUST"
} setting seems to be a gaping maw of a security hole.
} And if that's true, there really isn't any point in
} denying the new website host superuser access rights,
} correct? And if THAT's true, I really can't use
} PostgreSQL for anything private or sensitive (e.g.,
} storing customer credit card information), correct?

You cannot expect to have a secure database on an insecure system. Period.
If you don't trust the people who have root access to the machine hosting
your database, you can't trust the database. A possible workaround is to
have your database on another (trusted) system which only accepts TCP
connections from localhost and use a socket forwarded by ssh to make that
database available on the untrusted system. Of course, you can't trust the
untrusted system not to grab the password for the postgres user you are
using since they can always hack ssh and/or sshd. Ultimately, if you don't
trust your sysadmins then you need to look into different sysadmins.
Nothing can be secured if the people with physical access to the system
can't be trusted.

} Thanks...
--Greg

hi scott,

in my opinion, if you really want to have security,
you can't run a database in a shared environment. you should
think about setting up a dedicated machine.

even if there was no way to set the pg_hba.conf to TRUST,
they could easily copy the whole db-root to a different machine
and change the permission-settings there. your data isn't save
at all, as long as anyone else has a root-pw to alter/copy/read
the files.

Mit freundlichem Gruß

Henrik Steffen
Geschäftsführer

top concepts Internetmarketing GmbH
Am Steinkamp 7 - D-21684 Stade - Germany
--------------------------------------------------------
http://www.topconcepts.com Tel. +49 4141 991230
mail: steffen(at)topconcepts(dot)com Fax. +49 4141 991233
--------------------------------------------------------
24h-Support Hotline: +49 1908 34697 (EUR 1.86/Min,topc)
--------------------------------------------------------
System-Partner gesucht: http://www.franchise.city-map.de
--------------------------------------------------------
Handelsregister: AG Stade HRB 5811 - UstId: DE 213645563
--------------------------------------------------------

----- Original Message -----
From: "Scott Gammans" <nospam_deepgloat(at)yahoo(dot)com>
To: <pgsql-general(at)postgresql(dot)org>
Sent: Friday, July 26, 2002 3:06 PM
Subject: [GENERAL] Is there any such thing as PostgreSQL security on a hosted website?

> (I know cross-posting is evil, but I'm not getting any responses over on the
> .novice newsgroup, and I feel this is an important topic that needs
> attention. Apologies in advance...)
>
> Summary:
>
> What is to stop a company that is hosting my
> PostgreSQL-enabled website from changing my
> pg_hba.conf file to "TRUST" so that they can go in and
> snoop around my online PostgreSQL databases?
>
> Detail:
>
> My website is currently being hosted by a company that
> includes 10 PostgreSQL databases, but they do not
> allow me superuser access (the hosting company issues
> me a PostgreSQL userid/password that does not have
> "CREATEDB" privileges) and I am also on a shared
> instance of PostgreSQL with other users (I can see
> their userids from the phpPgAdmin tool).
>
> This seemed like an obvious security breach, so I
> looked into another website hosting company that
> offers a private instance of PostgreSQL, but they
> still want to have superuser access to my databases so
> that they can do things like vacuum the database.
> They're willing to forgo superuser access for
> themselves if I agree to pay for any support costs
> that occur because they *don't* have such access, but
> what is to stop them from altering the settings in
> pg_hba.conf to "TRUST" so that they can go in and
> snoop around my databases anyway? The answer is,
> there's **nothing** to stop them from doing that,
> right?
>
> Unless I am completely missing something, this "TRUST"
> setting seems to be a gaping maw of a security hole.
> And if that's true, there really isn't any point in
> denying the new website host superuser access rights,
> correct? And if THAT's true, I really can't use
> PostgreSQL for anything private or sensitive (e.g.,
> storing customer credit card information), correct?
>
> Thanks...
>
>
>
>
>
>
> ---------------------------(end of broadcast)---------------------------
> TIP 4: Don't 'kill -9' the postmaster

Scott Gammans wrote:
>
> What is to stop a company that is hosting my
> PostgreSQL-enabled website from changing my
> pg_hba.conf file to "TRUST" so that they can go in and
> snoop around my online PostgreSQL databases?

Nothing.

> My website is currently being hosted by a company that
> includes 10 PostgreSQL databases, but they do not
> allow me superuser access (the hosting company issues
> me a PostgreSQL userid/password that does not have
> "CREATEDB" privileges) and I am also on a shared
> instance of PostgreSQL with other users (I can see
> their userids from the phpPgAdmin tool).
>
> This seemed like an obvious security breach

Why? Others can see you, but they can't touch you. The only ones that
can touch you are the superusers, i.e. the hosting company. But they can
do that anyway since they have physical access to that machine.

Jochem

Don't know enough to answer Q, but I do know that Verio and presumably other
ISPs provide postgres support WITH root privileges. In the end though, unless
you host on your own server, your ISP has complete control anyway.

On Friday 26 July 2002 1:06 pm, you wrote:
> (I know cross-posting is evil, but I'm not getting any responses over on
> the .novice newsgroup, and I feel this is an important topic that needs
> attention. Apologies in advance...)
>
> Summary:
>
> What is to stop a company that is hosting my
> PostgreSQL-enabled website from changing my
> pg_hba.conf file to "TRUST" so that they can go in and
> snoop around my online PostgreSQL databases?

"Scott Gammans" <nospam_deepgloat(at)yahoo(dot)com> writes:
> What is to stop a company that is hosting my
> PostgreSQL-enabled website from changing my
> pg_hba.conf file to "TRUST" so that they can go in and
> snoop around my online PostgreSQL databases?

If they have root on the machine running your DBMS, then only their own
integrity stops them from snooping all they want. There is NOTHING that
Postgres can possibly do to defend itself against a root user. "TRUST"
is the least of your worries --- they can alway just examine the
physical files holding the database.

regards, tom lane