Sender: owner-postgres95@postgres.Berkeley.EDU X-Return-Path: andrew_yu Received: from methi.ndim.edrc.cmu.edu (METHI.NDIM.EDRC.CMU.EDU [128.2.214.230]) by nobozo.CS.Berkeley.EDU (8.6.10/8.6.3) with SMTP id PAA12977 for ; Sun, 5 Nov 1995 15:54:41 -0800 Message-Id: <199511052354.PAA12977@nobozo.CS.Berkeley.EDU> Received: from localhost by methi.ndim.edrc.cmu.edu id aa15145; 5 Nov 95 18:53 EST X-Mailer: exmh version 1.6.2 7/18/95 To: Tim Bass , Konstantinos Agouros cc: postgres95@postgres.Berkeley.EDU Reply-to: rp2y+@CS.cmu.edu Subject: Re: Security? References: <199511051753.MAA06632@dune.silkroad.com> In-reply-to: Your message of "Sun, 05 Nov 1995 12:53:56 EST." <199511051753.MAA06632@dune.silkroad.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Sun, 05 Nov 1995 18:53:47 -0500 From: Robert Patrick Resent-To: postgres95-redist Resent-Date: Sun, 05 Nov 95 15:54:42 -0800 Resent-From: pglite Resent-XMts: smtp > > > > Hi, > > > > I have a question about security. As I haven't tried out postgres in a networked > > Environment I am not quite sure how authentication works across a network. > > Could somebody enlighten me as I am too lazy for a 'use the source luke' > > > > Konstantin > > There are others who can answer this better ...... but I can tell you > a very simple concern.... > > the postmaster runs happily on a port and anyone with access to that > port, unrestricted, could wipe out an entire database.... > > One method is to filter the port at your firewall... maybe someone > can enlighten us on other non-kerberos postgres techniques. > > -Tim Currently, the non-kerberos solution is that the Unix user id (I believe this is the real UID, not the effective UID) of the client process is compared against the authorized users of the database. I believe the beginnings of support for a simple table of "authorized hosts" may exist (I remember some talk about it but I don't rememeber how much, if any of it, was implemented). Obviously, none of this is very secure. For much better security, Kerberos authentication hooks have been provided. Unfortunately, Kerberos requires a significant amount of effort to set up. However, many organizations are moving toward Kerberos because it not only provides authentication, it can provide encryption of data being sent across the wire in a secure way (without which you really don't have security). For example, the X consortium is adding (or has already added) Kerberos hooks to X. However, you must remember that Postgres95 is written on top of the Unix file system so there is really no such thing as "real" security for Postgres95 databases (except for physical isolation, hardware packet filtering, to a lesser extent firewalls, etc.). If you require security features more than those provided, may I suggest that you would probably be better off going with a commercial package, such as Illustra (commercial version of Postgres). If, on the other hand, you want to hack in the security features yourself, the place to start is by looking at src/backend/libpq/{auth, pqcomm, pqpacket}.c and src/backend/postmaster/postmaster.c. This is the code that manages the initial "handshake" with client applications. By changing the way this code works, you could provide a "limited" amount of security from unauthorized connections. For even greater security, you would need to change the way that the function manager works so that all executable object code (i.e., functions) loaded into the backend does not run in "trusted" mode. I must warn you that this is not a trivial job. Hope this helps, Robert =============================================================================== To unsubscribe from the Postgres95 mailing list, send mail with the subject line "DEL" to "postgres95-request@postgres.Berkeley.EDU". ============ URL: http://s2k-ftp.CS.Berkeley.EDU:8000/postgres95/ ===========