Обсуждение: Superuser without pg_hba could drop database
Superuser without pg_hba could drop database from client at pgAdminIII Object browser by left click & Delete/Drop.
User has superuser rights, but no pg_hba connection entry for the host.
There are warnings on left click, twice:
An error has occured:
FATAL: no pg_hba.conf entry for host "172.17.0.8", user "tempuser", database "testdatabase", SSL on
FATAL: no pg_hba.conf entry for host "172.17.0.8", user "tempuser", database "testdatabase", SSL off
Then context menu appear, click Delete/Drop, Yes on confirmation.
The database is gone.
pgAdminIII at client:
Windows XP
pgAdminIII 1.10.3 (from PostgreSQL 8.4 windows package)
PostgreSQL 8.4 server:
Ubuntu 10.04
I think it is very dangerous.
Regards,
Mudy
Le 29/07/2010 07:34, Mudy Situmorang a écrit : > Superuser without pg_hba could drop database from client at pgAdminIII > Object browser by left click & Delete/Drop. > > User has superuser rights, but no pg_hba connection entry for the host. > > There are warnings on left click, twice: > An error has occured: > FATAL: no pg_hba.conf entry for host "172.17.0.8", user "tempuser", database > "testdatabase", SSL on > FATAL: no pg_hba.conf entry for host "172.17.0.8", user "tempuser", database > "testdatabase", SSL off > > Then context menu appear, click Delete/Drop, Yes on confirmation. > > The database is gone. > > > pgAdminIII at client: > Windows XP > pgAdminIII 1.10.3 (from PostgreSQL 8.4 windows package) > > > PostgreSQL 8.4 server: > Ubuntu 10.04 > > > > I think it is very dangerous. > This is not an issue with pgAdmin. You can do the same with psql. BTW, pg_hba.conf file controls who has the right to connect to one database or another, not the rights users have on objects. To drop a database, you need to be its owner or a superuser, and you need that noone is connected to this database. It has nothing to do with the fact that you are allowed to connect to it. -- Guillaumehttp://www.postgresql.frhttp://dalibo.com
psql runs only from the server, while pgAdmin (which is a standard installation in PostgerSQL for windows) easily installed in any clients.
In a network with several different projects & many databases that requires dozens of superuser, pg_hba could provide the required access control.
In this bug, when one superuser password compromised, then all database can be dropped from any clients using pgAdmin.
IMO this is a major security problem on pgAdmin software.
Regards,
Mudy
2010/7/29 Guillaume Lelarge <guillaume@lelarge.info>
Le 29/07/2010 07:34, Mudy Situmorang a écrit :This is not an issue with pgAdmin. You can do the same with psql.> Superuser without pg_hba could drop database from client at pgAdminIII
> Object browser by left click & Delete/Drop.
>
> User has superuser rights, but no pg_hba connection entry for the host.
>
> There are warnings on left click, twice:
> An error has occured:
> FATAL: no pg_hba.conf entry for host "172.17.0.8", user "tempuser", database
> "testdatabase", SSL on
> FATAL: no pg_hba.conf entry for host "172.17.0.8", user "tempuser", database
> "testdatabase", SSL off
>
> Then context menu appear, click Delete/Drop, Yes on confirmation.
>
> The database is gone.
>
>
> pgAdminIII at client:
> Windows XP
> pgAdminIII 1.10.3 (from PostgreSQL 8.4 windows package)
>
>
> PostgreSQL 8.4 server:
> Ubuntu 10.04
>
>
>
> I think it is very dangerous.
>
BTW, pg_hba.conf file controls who has the right to connect to one
database or another, not the rights users have on objects. To drop a
database, you need to be its owner or a superuser, and you need that
noone is connected to this database. It has nothing to do with the fact
that you are allowed to connect to it.
--
Guillaume
http://www.postgresql.fr
http://dalibo.com
Le 29/07/2010 09:15, Mudy Situmorang a écrit : > psql runs only from the server, while pgAdmin (which is a standard > installation in PostgerSQL for windows) easily installed in any clients. > Wrong. psql can run from anywhere. "psql -h ip_of_the_server -U my_superuser postgres" will connect to the server if the pg_hba.conf allows me to. And I will be able to drop any database I want. > In a network with several different projects & many databases that requires > dozens of superuser, pg_hba could provide the required access control. > pg_hba.conf only provides *access* control, not objects' rights control. > In this bug, when one superuser password compromised, then all database can > be dropped from any clients using pgAdmin. > Sure. That's probably why you shouldn't have that many superusers. Having one or two is understandable. Having more is, to say the least, weird. Not sure that you know this, but a user can be owner of a database without being a superuser. If you have a specific owner for each of the database, the owners won't be able to drop other databases. They will only have the right to drop their own. > IMO this is a major security problem on pgAdmin software. > You mean with every PostgreSQL admin tool. You can do that with any of them. Even psql. You can easily install psql on a PC and drop a database if you are a superuser and have the right to connect on at least one database. I think you misunderstand the use of the superuser. You shouldn't have a lot of them. -- Guillaumehttp://www.postgresql.frhttp://dalibo.com
Ok, Thanks for the answer.
2010/7/29 Guillaume Lelarge <guillaume@lelarge.info>
Le 29/07/2010 09:15, Mudy Situmorang a écrit :> psql runs only from the server, while pgAdmin (which is a standardWrong. psql can run from anywhere. "psql -h ip_of_the_server -U
> installation in PostgerSQL for windows) easily installed in any clients.
>
my_superuser postgres" will connect to the server if the pg_hba.conf
allows me to. And I will be able to drop any database I want.pg_hba.conf only provides *access* control, not objects' rights control.
> In a network with several different projects & many databases that requires
> dozens of superuser, pg_hba could provide the required access control.
>Sure. That's probably why you shouldn't have that many superusers.
> In this bug, when one superuser password compromised, then all database can
> be dropped from any clients using pgAdmin.
>
Having one or two is understandable. Having more is, to say the least,
weird. Not sure that you know this, but a user can be owner of a
database without being a superuser. If you have a specific owner for
each of the database, the owners won't be able to drop other databases.
They will only have the right to drop their own.You mean with every PostgreSQL admin tool. You can do that with any of
> IMO this is a major security problem on pgAdmin software.
>
them. Even psql. You can easily install psql on a PC and drop a database
if you are a superuser and have the right to connect on at least one
database. I think you misunderstand the use of the superuser. You
shouldn't have a lot of them.
--
On Thu, Jul 29, 2010 at 8:15 AM, Mudy Situmorang <mudy@astasolusi.com> wrote: > psql runs only from the server, while pgAdmin (which is a standard > installation in PostgerSQL for windows) easily installed in any clients. Incorrect. psql, like pretty much any PostgreSQL client can run on any machine and connect to a remote server. > In a network with several different projects & many databases that requires > dozens of superuser, pg_hba could provide the required access control. No, that's not the way to set it up - a superuser can always drop a database, regardless of pg_hba.conf. You should make roles database owners rather than superusers to give them control of individual databases only. > In this bug, when one superuser password compromised, then all database can > be dropped from any clients using pgAdmin. > IMO this is a major security problem on pgAdmin software. Real security problems like this are *never* in the the client software, always in the server. If the security was implemented in pgAdmin, then it would be trivial for an attacker to bypass by writing their own client, or recompiling pgAdmin without the security check. But, this is not a security issue as noted above... -- Dave Page EnterpriseDB UK: http://www.enterprisedb.com The Enterprise Postgres Company