On Fri, 2004-06-04 at 10:59, Igor Borisovsky wrote: > Thanks for reply. > Let me explain in more details my problem. > I have the database server under RedHat9. > The postgresql database contains very important secure data. > So nobody should have access to this data directly. > Only authorized clients via SSL connections should have access. > In the ordinary linux user root can steal postgresql data files or > edit pg_hba.conf file to give access to itself. > Thus I want to use FC2 to control access to data files for user root. > User root should be only linux server administrator. For example, root > should be able to create/delete user, install software/hardware, start/stop > services. But root must not have access to postgresql files. You can use SELinux to ensure that only certain applications have direct access to the files. But if root can install software, then he can just replace those applications with his own code to get access to the files. Or he can replace any code or configuration on which those applications depend, e.g. the kernel, ld.so, whatever. And if there is any user account which is authorized to access those files and you let root manage user accounts, then root can gain access to those accounts. Not to mention issues of raw disk access, whether direct or indirect via filesystem administrative utilities. See the problem? So you would have to strip root of _many_ typical administrative privileges to truly enforce such a guarantee. -- Stephen Smalley <sds@xxxxxxxxxxxxxx> National Security Agency
