Re: Update actions (with user name) inside PostgreSQL DB - any version on postgreSQL

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



In Linux you can setup and use the "sudo" option. For those whom you don't wish to have root access, simply make them sudousers, then change the root password. This will force those users to simply type "sudo" (w/o quotes) at the beginning of each command they want to run (i.e. sudo psql db_name "insert into...."). The user will then be prompted for THEIR password.  If there userid is in the sudouser file, the command will run with root privileges. It also logs their actions in a log file (usually in /var/log - but that is configurable) which has only read permissions for root.
 
Once the first sudo command is run, the sudousers can continue to run commands with root privileges for 10 minutes in that shell (time is adjustable). We use it at my office and it has been effective.
 
You can then scour the log file to see what activities have been carried out by your sudousers...a possible work around to this problem.
 
Dave

On Wed, Mar 14, 2012 at 9:03 AM, Robin Iddon <robin@xxxxxxxxxx> wrote:
You lose if you have provided people you do not trust with root access
they can be whoever they want to be and there is nothing you can do
about it.  In my belief there is absolutely no way of making the system
safe with untrusted root users.  Don't waste your time trying.

Any attempt to create an audit trail by adding in username capture in
the software is doomed to being circumvented by anybody with root access
who doesn't want to be traced.

For example:

robin$ su - root
root# su - kgama
kgama$ su - root ... do something bad.

Now it looks like you did it, even though it was me.

Robin

On Wed, 2012-03-14 at 14:39 +0200, Khangelani Gama wrote:
> Hi, anyone with an idea based on my latest comments below? Thanks
>
>
>
>
>
> -----Original Message-----
> From: Khangelani Gama [mailto:kgama@xxxxxxxxxxxx]
> Sent: Wednesday, March 14, 2012 1:25 PM
> To: 'Robin Iddon'; 'pgsql-admin@xxxxxxxxxxxxxx'
> Subject: RE: Update actions (with user name) inside PostgreSQL DB -
> any version on postgreSQL
>
> thanks, the issue we have is that we have many Linux users having root
> access into the system. So they're able to access the DB by just going in as
> "su - superusername". If this user is able to make any updates inside the
> database it might create problems. Auditors wants PostgreSQL to tell who
> updated what inside the database besides client users that access the
> database from outside using some applications. So this common
> "superusername" doesn't tell the actual person who got into the system and
> went onto make updates inside the database because they first logged as
> their linux users before as going in as postgres user called
> "superusername".
>
>
>
>
>
>
> -----Original Message-----
> From: pgsql-admin-owner@xxxxxxxxxxxxxx
> [mailto:pgsql-admin-owner@xxxxxxxxxxxxxx] On Behalf Of Robin Iddon
> Sent: Wednesday, March 14, 2012 12:54 PM
> To: pgsql-admin@xxxxxxxxxxxxxx
> Subject: Re: Update actions (with user name) inside PostgreSQL DB -
> any version on postgreSQL
>
> What do you want to have happen to the timestamp/user?
>
> You can obviously do:
>
> update test set t4 = 9, user = <someuser>, timestamp = <sometimestamp> where
> t1 = 001;
>
> I'm assuming you're trying to store the user and timestamp somewhere else,
> though?
>
> Robin
>
> On Wed, 2012-03-14 at 12:44 +0200, Khangelani Gama wrote:
> >
> >
> > Hi
> >
> >
> >
> >
> >
> > Is it possible to have an update query that will specify actions,
> > timestamp, user who’s making the update inside the database. Can this
> > be done without any script but just in the transaction block
> >
> >
> >
> > Example:
> >
> >
> >
> > dbtest=# UPDATE table test set t4 = 9 where t1 = 001 then specify
> > user_name,  timestamp() ;
> >
> >
> >
> >
> >
> >
> >
> >
> >
> > Thanks in advance
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> > C O N F I D E N T I A L I T Y   N O T I C E
> > The contents of and attachments to this e-mail are intended for the
> > addressee only, and may contain the confidential information of
> > Argility (Proprietary) Limited and/or its subsidiaries. Any review,
> > use or dissemination thereof by anyone other than the intended
> > addressee is prohibited. If you are not the intended addressee please
> > notify the writer immediately and destroy the e-mail. Argility
> > (Proprietary) Limited and its subsidiaries distance themselves from
> > and accept no liability for unauthorised use of their e-mail
> > facilities or e-mails sent other than strictly for business purposes.
> >
> >
> >
> >
> >
> >
> >
> > CONFIDENTIALITY NOTICE
> > The contents of and attachments to this e-mail are intended for the
> > addressee only, and may contain the confidential information of Argility
> > (Proprietary) Limited and/or its subsidiaries. Any review, use or
> > dissemination thereof by anyone other than the intended addressee is
> > prohibited.
> > If you are not the intended addressee please notify the writer immediately
> > and destroy the e-mail. Argility (Proprietary) Limited and its
> > subsidiaries distance themselves from and accept no liability for
> > unauthorised use of their e-mail facilities or e-mails sent other than
> > strictly for business purposes.
>
>
>
> --
> Sent via pgsql-admin mailing list (pgsql-admin@xxxxxxxxxxxxxx) To make
> changes to your subscription:
> http://www.postgresql.org/mailpref/pgsql-admin
>
>
>
>
> CONFIDENTIALITY NOTICE
> The contents of and attachments to this e-mail are intended for the addressee only, and may contain the confidential information of Argility (Proprietary) Limited and/or its subsidiaries. Any review, use or dissemination thereof by anyone other than the intended addressee is prohibited.
> If you are not the intended addressee please notify the writer immediately and destroy the e-mail. Argility (Proprietary) Limited and its subsidiaries distance themselves from and accept no liability for unauthorised use of their e-mail facilities or e-mails sent other than strictly for business purposes.
>
>



--
Sent via pgsql-admin mailing list (pgsql-admin@xxxxxxxxxxxxxx)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-admin



--
Dave Ondrejik - Senior Hydrologist
National Weather Service
Middle Atlantic River Forecast Center
328 Innovation Blvd, Suite #330
State College, PA 16870
(814) 231-2403
david.ondrejik@xxxxxxxx
 
See us on the web at:
http://www.weather.gov/marfc
 


[Index of Archives]     [KVM ARM]     [KVM ia64]     [KVM ppc]     [Virtualization Tools]     [Spice Development]     [Libvirt]     [Libvirt Users]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite Questions]     [Linux Kernel]     [Linux SCSI]     [XFree86]

  Powered by Linux