Re: Required permissions for data directory
| От | Joshua D. Drake |
|---|---|
| Тема | Re: Required permissions for data directory |
| Дата | |
| Msg-id | 416C363F.2090503@commandprompt.com обсуждение исходный текст |
| Ответ на | Re: Required permissions for data directory (Tom Lane <tgl@sss.pgh.pa.us>) |
| Ответы |
Re: Required permissions for data directory
|
| Список | pgsql-hackers |
Tom Lane wrote: > "Joshua D. Drake" <jd@commandprompt.com> writes: > >>Tom Lane wrote: >> >>>Being able to edit postgresql.conf gives one the ability to become >>>postgres (hint: you can cause the backend to load a shlib of your >>>choosing, or even more trivially, adjust pg_hba.conf to let you in >>>as superuser), so the above distinction is unenforceable. > > >>Again, the responsibility of the administrator for the system. > > > How so? The point is that there is *no such thing* as giving someone > config edit permissions without thereby implicitly trusting them with > the keys to the city. Well that isn't entirely true. Yes, you are obviously correct in that if I give a user the ability to edit the pg_hba.conf file -- that user has the ability to become a superuser for PostgreSQL and completely screw my database. That is what lawyers are for. However, it is also true that by having the ability to give say a tier2 the ability to edit the postgresql.conf withough the ability to log in as postgres or root, then that user can not stop/start the database, or have root access. They can however, allow another IP, user, network access. I can also put other items in place that detect a change in those files fairly easily. Which means if there isn't a work order stating change this file, then a tier3 is notified. If you trust them that much, you may as well let > them su to postgres. There is no point in using group membership as a > substitute. I disagree. I trust my tier1 to make a change to the conf file and let me know the changes are done and ready for review. I do not trust my tier1 to arbitrarily turn on logging, blow the config, restart postgresql and have it not start up because of the error.... Allowing that tier1 to su to postgres gives them that capability. Sincerely, Joshua D. Drake > > regards, tom lane -- Command Prompt, Inc., home of PostgreSQL Replication, and plPHP. Postgresql support, programming shared hosting and dedicated hosting. +1-503-667-4564 - jd@commandprompt.com - http://www.commandprompt.com Mammoth PostgreSQL Replicator. Integrated Replication for PostgreSQL
Вложения
В списке pgsql-hackers по дате отправления: