473,324 Members | 1,678 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 473,324 software developers and data experts.

security question

hello,

i'm very new to postgres and have a fundamental question.
how do i make a pg-db most secure?
i feel, that pg_user e.g. ist something very dangerous - isn't it? if
someone hacks into a db, then he has lots of information at his/her
fingertips. is this so?

what do i do to prevent my db from beeing hacked?

greetings
hans

---------------------------(end of broadcast)---------------------------
TIP 3: if posting/reading through Usenet, please send an appropriate
subscribe-nomail command to ma*******@postgresql.org so that your
message can get through to the mailing list cleanly

Nov 23 '05 #1
2 1173
> i'm very new to postgres and have a fundamental question.
how do i make a pg-db most secure?
i feel, that pg_user e.g. ist something very dangerous - isn't it? if
someone hacks into a db, then he has lots of information at his/her
fingertips. is this so?

what do i do to prevent my db from beeing hacked?


If you want to make sure it is never hacked into, here are two
suggestions:

1. Don't connect it to a computer network or phone line.
2. Don't turn it on.

Seriously, most of the risks are NOT application or database-specific.

In other words, if a hacker can get to your computer, it almost definitely
isn't postgreSQL's fault, and there may not be much you can do about it
from a database perspective once the hacker gets in. If the hacker can
get dba, sysadmin or root access, you're fully compromised.

PostgreSQL has a number of security features in it to control access
privileges for both local and remote (networked) users, as do most
major database platforms. If you are a DBA, you need to be aware of
these, most of them are fairly well documented in the online manual
on postgresql.org. Specifically read the sections on GRANT and
on hba_conf.
--
Mike Nolan

---------------------------(end of broadcast)---------------------------
TIP 6: Have you searched our list archives?

http://archives.postgresql.org

Nov 23 '05 #2
On Tue, 11 May 2004, zu****@iname.com wrote:
hello,

i'm very new to postgres and have a fundamental question.
how do i make a pg-db most secure?
i feel, that pg_user e.g. ist something very dangerous - isn't it? if
someone hacks into a db, then he has lots of information at his/her
fingertips. is this so?

what do i do to prevent my db from beeing hacked?


Hiding what is in pg_user (note the password field is blanked out) would
qualify as obscurity, not security. Security is provided by things like
checking the connection libraries postgresql uses to make sure there are
no buffer overflows or that things that would let a user gain unauthorized
access are not in place.

This topic comes up about once every three months, with someone thinking
that being able to see the database schema represents a security threat.

obscurity <> security

PostgreSQL is, as far as I've been able to ascertain, quite secure, as
long as you've configured it properly.

For instance, having authentication set to trust means that anyone can
become anyone else. That's fine if you and two other dbas are the only
people who connect to the machine, but in an environment were hundreds of
users may be using the database cluster, you can't rely on trust anymore,
and have to go to md5 passwords or ident authentication.

Forcing users to connect via SSL with md5 passwords is generally
considered the most secure method for connections.

What a user can see of the rest of the database is not a security issue,
though in an environment with thousands of users, it could be a usability
issue, where someone has to look through hundreds and hundreds of tables
to find their own.

Which is why seperate databases and / or schemas are often used.

But in general, PostgreSQL is very well designed and quite secure.
---------------------------(end of broadcast)---------------------------
TIP 1: subscribe and unsubscribe commands go to ma*******@postgresql.org

Nov 23 '05 #3

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

116
by: Mike MacSween | last post by:
S**t for brains strikes again! Why did I do that? When I met the clients and at some point they vaguely asked whether eventually would it be possible to have some people who could read the data...
32
by: Mike MacSween | last post by:
Further to 'Security - more complex than I thought' Has anybody ever seen any studies? Or anecdotal evidence? Done any studies themselves? Done any lab testing - you know - 10 users asked to get...
5
by: Greg Strong | last post by:
Hello All, What are the best ways to implement security for Access databases (i.e. ..MDB files)? I ask the question from a general perspective. Why? Well I had written a prototype database...
1
by: Jeremy S. | last post by:
..NET's code Access Security enables administrators to restrict the types of things that a .NET application can do on a local computer. For example, a ..NET Windows Forms application can be...
15
by: himilecyclist | last post by:
My State government organization has written a PHP/MySQL application which has been in production for about 6 months and has been highly successful. We are now embarking on a similar database...
0
by: jobs | last post by:
Using the delivered login controls, I see there is something for passwordrecovery. But I can't seem to find how to set properties so it does not ask me for my security question. Is there any way...
18
by: Earl Anderson | last post by:
First, I feel somewhat embarrassed and apologetic that this post is lengthy, but in an effort to furnish sufficient information (as opposed to too little information) to you, I wanted to supply all...
4
by: vincent90152900 | last post by:
How to remove Security Question and Security Answer from membership provider? Following is my codes. Please tell me how to remove Question and Answer from membership provider. Thank you for...
1
by: =?Utf-8?B?aGVyYmVydA==?= | last post by:
Question 1: How do I turn off WCF security to get my apps out the door quickly? Question 2: Where can I find a step by step article/flowchart how to configure WCF security (the WCF books miss this...
2
by: Ken Fine | last post by:
I want to add the security question and answer security feature to the ChangePassword control. I am aware that this functionality is built into the PasswordRecovery tool. I have implemented the...
0
by: DolphinDB | last post by:
Tired of spending countless mintues downsampling your data? Look no further! In this article, you’ll learn how to efficiently downsample 6.48 billion high-frequency records to 61 million...
0
by: ryjfgjl | last post by:
ExcelToDatabase: batch import excel into database automatically...
0
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
0
by: ArrayDB | last post by:
The error message I've encountered is; ERROR:root:Error generating model response: exception: access violation writing 0x0000000000005140, which seems to be indicative of an access violation...
1
by: PapaRatzi | last post by:
Hello, I am teaching myself MS Access forms design and Visual Basic. I've created a table to capture a list of Top 30 singles and forms to capture new entries. The final step is a form (unbound)...
1
by: CloudSolutions | last post by:
Introduction: For many beginners and individual users, requiring a credit card and email registration may pose a barrier when starting to use cloud servers. However, some cloud server providers now...
1
by: Defcon1945 | last post by:
I'm trying to learn Python using Pycharm but import shutil doesn't work
1
by: Shællîpôpï 09 | last post by:
If u are using a keypad phone, how do u turn on JavaScript, to access features like WhatsApp, Facebook, Instagram....
0
by: af34tf | last post by:
Hi Guys, I have a domain whose name is BytesLimited.com, and I want to sell it. Does anyone know about platforms that allow me to list my domain in auction for free. Thank you

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.