Is there any such thing as PostgreSQL security on a hosted website?

On Friday 26 Jul 2002 2:06 pm, Scott Gammans wrote:

(I know cross-posting is evil, but I'm not getting any responses over on
the .novice newsgroup, and I feel this is an important topic that needs
attention. Apologies in advance...)

Summary:

What is to stop a company that is hosting my
PostgreSQL-enabled website from changing my
pg_hba.conf file to "TRUST" so that they can go in and
snoop around my online PostgreSQL databases?

Your hosting company has root access to the whole server and access to the
backup tapes. You have no security from them other than the trust embodied in
a business relationship.

If you want complete control over a server, have your own server.

- Richard Huxton

Scott Gammans sez:
} (I know cross-posting is evil, but I'm not getting any responses over on the
} .novice newsgroup, and I feel this is an important topic that needs
} attention. Apologies in advance...)
}
} Summary:
}
} What is to stop a company that is hosting my
} PostgreSQL-enabled website from changing my
} pg_hba.conf file to "TRUST" so that they can go in and
} snoop around my online PostgreSQL databases?
[...]
} Unless I am completely missing something, this "TRUST"
} setting seems to be a gaping maw of a security hole.
} And if that's true, there really isn't any point in
} denying the new website host superuser access rights,
} correct? And if THAT's true, I really can't use
} PostgreSQL for anything private or sensitive (e.g.,
} storing customer credit card information), correct?

You cannot expect to have a secure database on an insecure system. Period.
If you don't trust the people who have root access to the machine hosting
your database, you can't trust the database. A possible workaround is to
have your database on another (trusted) system which only accepts TCP
connections from localhost and use a socket forwarded by ssh to make that
database available on the untrusted system. Of course, you can't trust the
untrusted system not to grab the password for the postgres user you are
using since they can always hack ssh and/or sshd. Ultimately, if you don't
trust your sysadmins then you need to look into different sysadmins.
Nothing can be secured if the people with physical access to the system
can't be trusted.

} Thanks...
--Greg

hi scott,

in my opinion, if you really want to have security,
you can't run a database in a shared environment. you should
think about setting up a dedicated machine.

even if there was no way to set the pg_hba.conf to TRUST,
they could easily copy the whole db-root to a different machine
and change the permission-settings there. your data isn't save
at all, as long as anyone else has a root-pw to alter/copy/read
the files.

Mit freundlichem Gru�

Henrik Steffen
Gesch�ftsf�hrer

top concepts Internetmarketing GmbH
Am Steinkamp 7 - D-21684 Stade - Germany
--------------------------------------------------------
http://www.topconcepts.com Tel. +49 4141 991230
mail: steffen@topconcepts.com Fax. +49 4141 991233
--------------------------------------------------------
24h-Support Hotline: +49 1908 34697 (EUR 1.86/Min,topc)
--------------------------------------------------------
System-Partner gesucht: http://www.franchise.city-map.de
--------------------------------------------------------
Handelsregister: AG Stade HRB 5811 - UstId: DE 213645563
--------------------------------------------------------

----- Original Message -----
From: "Scott Gammans" <nospam_deepgloat@yahoo.com>
To: <pgsql-general@postgresql.org>
Sent: Friday, July 26, 2002 3:06 PM
Subject: [GENERAL] Is there any such thing as PostgreSQL security on a hosted website?

Scott Gammans wrote:

What is to stop a company that is hosting my
PostgreSQL-enabled website from changing my
pg_hba.conf file to "TRUST" so that they can go in and
snoop around my online PostgreSQL databases?

Nothing.

My website is currently being hosted by a company that
includes 10 PostgreSQL databases, but they do not
allow me superuser access (the hosting company issues
me a PostgreSQL userid/password that does not have
"CREATEDB" privileges) and I am also on a shared
instance of PostgreSQL with other users (I can see
their userids from the phpPgAdmin tool).

This seemed like an obvious security breach

Why? Others can see you, but they can't touch you. The only ones that
can touch you are the superusers, i.e. the hosting company. But they can
do that anyway since they have physical access to that machine.

Jochem

Don't know enough to answer Q, but I do know that Verio and presumably other
ISPs provide postgres support WITH root privileges. In the end though, unless
you host on your own server, your ISP has complete control anyway.

"Scott Gammans" <nospam_deepgloat@yahoo.com> writes:

What is to stop a company that is hosting my
PostgreSQL-enabled website from changing my
pg_hba.conf file to "TRUST" so that they can go in and
snoop around my online PostgreSQL databases?

If they have root on the machine running your DBMS, then only their own
integrity stops them from snooping all they want. There is NOTHING that
Postgres can possibly do to defend itself against a root user. "TRUST"
is the least of your worries --- they can alway just examine the
physical files holding the database.

regards, tom lane