Uh. Unless you've done something more than what you say, a windows
administrator can definitely access the data. Maybe most windows
"administrators" don't know how to do it, but it is possible.
I've viewed and changed data on a database on Windows without the database
administrator username and password. I did it to patch a bug in some
software that stored its programs/scripts in a database - we didn't want to
wait for the vendor to fix it. All I needed was a hexeditor and read/write
access to the necessary files - and a bit of luck - fortunately there was
"room" in the code to do the edits. You can't do "inserts/adds" - you can
only overwrite data.
You could make things a bit harder if you have access to a B level trusted
O/S.
But if your "administrators" only need to do a few things you can trust
them with, you might be able to get away with using disk/partition
encryption and sudo or some wrapper scripts for those few things. You then
get the passwords/keys to mount the encrypted partitions/disks remotely via
a secured encrypted channel e.g. ssh or SSL (make sure you check the certs
;) ).
[1] If you have physical access you can have a boot CD that resets the
admin password, but if you don't want to do that, you can always use
Knoppix or something with the necessary NTFS support to read and write the
data. Encryption helps make such things harder, but at some point the keys
to decrypt stuff need to be present so that things can be used - symmetric
encryption is typically used for performance reasons.
Most crypto stuff ends up being some "thingy" that encrypts/decrypts a
small symmetric crypto key, which then in theory can be accessible by a
resourceful person with "root" or "admin".
At 04:31 PM 10/5/2005 +0200, L van der Walt wrote:
Example: On a MS Windows Server with MS SQL Server. The administrator
with the administrator username and password can not access the SQL server
data. He also needs the SA username and password for the SQL server to do
so. He can stop and start the server and so on but not access the data.
How do I secure a system in the same way with Linux and PostgreSQL.
Richard Huxton wrote:
L van der Walt wrote:
I would like to secure Postgres completly.
Some issues that I don't know you to fix:
1. User postgres can use psql (...) to do anything.
Prevent anyone from logging in as user postgres.
Remove psql.
2. User root can su to postgres and thus do anything.
That's the root user - it is supposed to be able to do what it likes.
3. Disable all tools like pg_dump
You can delete the executables, but that's not going to stop people
running their own version if they can connect.
How do I secure a database if I don't trust the administrators.
The administrator will not break the db but they may not view
any information in the databse.
If you don't trust the administrators of the machine, there's nothing you
can do if they have physical access to it. They'll always be able to work
around anything you can do.
Can you say more about the situation - it might be someone has been in a
similar situation themselves?
--
Richard Huxton
Archonet Ltd
---------------------------(end of broadcast)---------------------------
TIP 5: don't forget to increase your free space map settings
---------------------------(end of broadcast)---------------------------
TIP 6: explain analyze is your friend
