Re: Securing Postgres

L van der Walt wrote:
> Richard Huxton wrote:
>
>> L van der Walt wrote:
>>
>>> The big problem is that the administrators works for the client and
>>> not for me.  I don't want the client to reverse engineer my database.
>>> There might be other applications on the server so the administrators
>>> do require root access.

>> Well, if it's your client's machine, then they any competent
>> administrator will be able to work around anything you do. They set
>> the ground-rules you work in - you could be running inside a virtual
>> machine and never know.

>> Are your clients really so dishonest that they'd break into the
>> database and take the necessary steps to hide their tracks too?

> No I can not trust the clients administrators.

Then you really need to have your own machine.

> I have played now with MySQL and with MySQL you can change the password
> for root in MySQL (same as postgres in PostgreSQL).  If you use the
> command line tools like dump you require the password.  Just because
> your root doesn't mean your root in MySQL

Oh, you can stop playing. But you won't stop a determined administrator
for more than about 5 minutes with just a password.

> Can one separate the user postgres in PostgreSQL from the user postgres
> in Linux(The OS)?

Naturally - just set your pg_hba.conf to use passwords rather than
ident. See the manuals for details.

--
   Richard Huxton
   Archonet Ltd