Search Postgresql Archives

Re: security question

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, 11 May 2004, zuhans@iname.com wrote:

> hello,
> 
> i'm very new to postgres and have a fundamental question.
> how do i make a pg-db most secure?
> i feel, that pg_user e.g. ist something very dangerous - isn't it? if 
> someone hacks into a db, then he has lots of information at his/her 
> fingertips. is this so?
> 
> what do i do to prevent my db from beeing hacked?

Hiding what is in pg_user (note the password field is blanked out) would 
qualify as obscurity, not security.  Security is provided by things like 
checking the connection libraries postgresql uses to make sure there are 
no buffer overflows or that things that would let a user gain unauthorized 
access are not in place.

This topic comes up about once every three months, with someone thinking 
that being able to see the database schema represents a security threat.

obscurity <> security

PostgreSQL is, as far as I've been able to ascertain, quite secure, as 
long as you've configured it properly.  

For instance, having authentication set to trust means that anyone can 
become anyone else.  That's fine if you and two other dbas are the only 
people who connect to the machine, but in an environment were hundreds of 
users may be using the database cluster, you can't rely on trust anymore, 
and have to go to md5 passwords or ident authentication.

Forcing users to connect via SSL with md5 passwords is generally 
considered the most secure method for connections.

What a user can see of the rest of the database is not a security issue, 
though in an environment with thousands of users, it could be a usability 
issue, where someone has to look through hundreds and hundreds of tables 
to find their own.

Which is why seperate databases and / or schemas are often used.

But in general, PostgreSQL is very well designed and quite secure.  


---------------------------(end of broadcast)---------------------------
TIP 1: subscribe and unsubscribe commands go to majordomo@postgresql.org

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Postgresql Jobs]     [Postgresql Admin]     [Postgresql Performance]     [Linux Clusters]     [PHP Home]     [PHP on Windows]     [Kernel Newbies]     [PHP Classes]     [PHP Books]     [PHP Databases]     [Postgresql & PHP]     [Yosemite]
  Powered by Linux