On Apr 24, 2006, at 6:31 PM, Qingqing Zhou wrote:
""Jim C. Nasby"" <jnasby@xxxxxxxxxxxxx> wrote
On Mon, Apr 24, 2006 at 06:16:30PM +0800, Qingqing Zhou wrote:
Is it possible to have a superuser who could do CHECKPOINT,
BACKUP and
whatever but could not see any user data?
Not for backup. It'd be rather tricky to allow backing up data
without
being able to read it, afterall.
I believe CHECKPOINT is protected since repeatedly calling it could
result in performance problems, but you can probably get around
that if
needed by using a security-definer function.
Why do you want non-superusers to be able to checkpoint, anyway?
Basically I wonder if I can have a superuer that he has every
priviliges as
he does now (create language, rotate log files, create checkpoint and
everything superuser can do) but one thing I want to make sure is
that he
could not see any user data for security reason (just think my
database is
filled with very important UFO data ;-)). In another word, I need a
superuser be able to maintain database but he know nothing about
what in the
database. Is there a solution for this in PG?
To be able to backup the database the user needs to be able to
write it to a file. They can then read that file, and so read anything
in the database.
So... you're not going to be able to do this _at_all_ from within
the database. You're going to need an external solution, probably
a hideous seteuid thing, if you really want to do this. And it's
a really bad idea, so you probably don't want to.
Cheers,
Steve
