agora inbox for postgres@postgres.berkeley.edu
help / color / mirror / Atom feedRe: Postgres security
6+ messages / 5 participants
[nested] [flat]
* Postgres security
@ 1991-11-07 16:18 Paul B. Poh <ppoh@jade2.tufts.edu>
1991-11-07 10:54 ` Re: Postgres security
0 siblings, 1 reply; 6+ messages in thread
From: Paul B. Poh @ 1991-11-07 16:18 UTC (permalink / raw)
To: legacy
Hi,
I've just installed postgres on a Sun and I'm looking at the possibility of
using postgres as a database server for an user accounting system I'm
writing. I built libpq on a Convex 3220 and I wrote a sample program on
the Convex to access a demo database on the Sun. Everything works great.
My question is: Does postgres do any kind of security checks to prevent
unauthorized users from accessing another users database. There did not
appear to be anykind of checks to prevent me from reading the database on
the Sun.
I'm also wondering if there is a postgres usenet conference.
----
Paul Poh
ppoh@jade.tufts.edu
Academic Computer Services
Tufts University
^ permalink raw reply [nested|flat] 6+ messages in thread
* Re: Postgres security
1991-11-07 16:18 Postgres security Paul B. Poh <ppoh@jade2.tufts.edu>
@ 1991-11-07 10:54 `
0 siblings, 0 replies; 6+ messages in thread
From: @ 1991-11-07 10:54 UTC (permalink / raw)
To: legacy
In message <9111071618.AA15926@postgres.Berkeley.EDU> you write:
> I've just installed postgres on a Sun and I'm looking at the possibility of
> using postgres as a database server for an user accounting system I'm
> writing. I built libpq on a Convex 3220 and I wrote a sample program on
> the Convex to access a demo database on the Sun. Everything works great.
>
> My question is: Does postgres do any kind of security checks to prevent
> unauthorized users from accessing another users database. There did not
> appear to be anykind of checks to prevent me from reading the database on
> the Sun.
Postgres is currently very weak in the area of security. The only check it
does is against pg_user to ensure that the person using Postgres is allowed
to do so. Any postgres user can access any database and examine any relation
in the that database.
The postgres rule systems can provide a rather unique way of doing your
own security. i.e. defining rules to protect your relations. There is
currently no builtin mechanism to for determining whose accessing the system,
but you can define your own function to determine this. However,
without network security and serious DBMS support these measures would be
easy to circumvent.
> I'm also wondering if there is a postgres usenet conference.
no.
Jeff Meredith
mer@postgres.berkeley.edu
^ permalink raw reply [nested|flat] 6+ messages in thread
* Re: Postgres security
@ 1991-11-08 11:51 Tom Vijlbrief <tom@izf.tno.nl>
0 siblings, 0 replies; 6+ messages in thread
From: Tom Vijlbrief @ 1991-11-08 11:51 UTC (permalink / raw)
To: legacy
Hi,
I've just installed postgres on a Sun and I'm looking at the possibility of
using postgres as a database server for an user accounting system I'm
writing. I built libpq on a Convex 3220 and I wrote a sample program on
the Convex to access a demo database on the Sun. Everything works great.
My question is: Does postgres do any kind of security checks to prevent
unauthorized users from accessing another users database. There did not
appear to be anykind of checks to prevent me from reading the database on
the Sun.
A related problem is the filemodes in the data/base directories.
File modes used to be 755 (directory) and 600 (files) in older versions
as I remember correctly.
Today:
drwxrwxrwx 2 postgres 1536 Nov 8 12:08 ./
drwxr-xr-x 8 postgres 512 Nov 7 14:43 ../
-rw-rw-rw- 1 postgres 32768 Nov 8 12:07 .nfs7B21
-rw-rw-rw- 1 postgres 32768 Nov 8 12:07 .nfs8B21
-rw-rw-rw- 1 postgres 16384 Nov 8 12:08 .nfs9B21
-rw-rw-rw- 1 postgres 16384 Nov 8 12:08 .nfsAB21
-rw-r--r-- 1 postgres 4 Oct 7 09:59 PG_VERSION
-rw-rw-rw- 1 postgres 0 Nov 8 12:07 ap_529408
-rw-rw-rw- 1 postgres 0 Oct 15 16:27 bigcity
-rw-rw-rw- 1 postgres 122880 Oct 7 13:55 borders
-rw-rw-rw- 1 postgres 24576 Oct 7 12:33 bordersindex
-rw-rw-rw- 1 postgres 40960 Oct 15 16:09 bordersmap
-rw-rw-rw- 1 postgres 24576 Oct 15 14:39 bordersmapindex
-rw-rw-rw- 1 postgres 147456 Oct 29 06:45 cities
-rw-rw-rw- 1 postgres 270336 Nov 8 10:55 col1
-rw-rw-rw- 1 postgres 0 Oct 15 16:27 distview
-rw-rw-rw- 1 postgres 8192 Oct 19 06:45 dynamic
-rw-rw-rw- 1 postgres 8192 Nov 8 12:07 geo_active_apr
-rw-rw-rw- 1 postgres 8192 Nov 8 12:07 geo_ap
-rw-rw-rw- 1 postgres 8192 Oct 7 13:54 geo_colors
-rw-rw-rw- 1 postgres 8192 Nov 1 06:45 geo_dyninfo
-rw-rw-rw- 1 postgres 16384 Oct 7 13:55 geo_icons
and
-rw-r--r-- 1 postgres 32768 Nov 8 12:07 pg_class
-rw-r--r-- 1 postgres 8192 Oct 31 06:45 pg_index
-rw-r--r-- 1 postgres 0 Oct 7 09:59 pg_inheritproc
-rw-r--r-- 1 postgres 8192 Oct 15 16:09 pg_inherits
-rw-r--r-- 1 postgres 8192 Oct 15 16:09 pg_ipl
-rw-r--r-- 1 postgres 8192 Oct 7 13:54 pg_language
-rw-r--r-- 1 postgres 8192 Oct 7 13:54 pg_opclass
-rw-r--r-- 1 postgres 24576 Oct 16 06:45 pg_operator
-rw-r--r-- 1 postgres 8192 Oct 7 13:54 pg_parg
-rw-r--r-- 1 postgres 0 Oct 7 09:59 pg_platter
-rw-r--r-- 1 postgres 0 Oct 7 09:59 pg_plmap
-rw-r--r-- 1 postgres 40960 Oct 16 06:45 pg_proc
So system relations are ok (created by createdb) but user relations
(created by create) are incorrect....
Tom
^ permalink raw reply [nested|flat] 6+ messages in thread
* Postgres security
@ 1994-07-22 09:15 Egan F. Ford <egan@cbs.cis.com>
1994-07-22 17:59 ` Re: Postgres security Paul M. Aoki <aoki@CS.Berkeley.EDU>
1994-07-22 18:40 ` Postgres security Mark Costlow <cheeks@swcp.com>
0 siblings, 2 replies; 6+ messages in thread
From: Egan F. Ford @ 1994-07-22 09:15 UTC (permalink / raw)
To: legacy
How can I protect my postgres 4.2 data from others on the net? I was told
the only way was to install kerberos. Is this still true with the non-beta
release of 4.2?
Thanks.
--
Egan F. Ford
egan@cbs.cis.com
==============================================================================
To add/remove yourself to/from the POSTGRES mailing list: send mail with
the subject line ADD or DEL to "postgres-request@postgres.Berkeley.EDU"
If this fails, send mail to "post_questions@postgres.Berkeley.EDU" and
a human will deal with it. DO NOT post to the "postgres" mailing list.
==============================================================================
^ permalink raw reply [nested|flat] 6+ messages in thread
* Re: Postgres security
1994-07-22 09:15 Postgres security Egan F. Ford <egan@cbs.cis.com>
@ 1994-07-22 17:59 ` Paul M. Aoki <aoki@CS.Berkeley.EDU>
1 sibling, 0 replies; 6+ messages in thread
From: Paul M. Aoki @ 1994-07-22 17:59 UTC (permalink / raw)
To: Egan F. Ford <egan@cbs.cis.com>; +Cc: legacy
egan@cbs.cis.com (Egan F. Ford) writes:
> How can I protect my postgres 4.2 data from others on the net? I was told
> the only way was to install kerberos. Is this still true with the non-beta
> release of 4.2?
yes. 4.2-final has no new features as compared to 4.2-beta, just a
new port (solaris2) and a couple of bug fixes.
--
Paul M. Aoki | University of California at Berkeley
aoki@CS.Berkeley.EDU | Dept. of EECS, Computer Science Division (#1776)
| Berkeley, CA 94720-1776
==============================================================================
To add/remove yourself to/from the POSTGRES mailing list: send mail with
the subject line ADD or DEL to "postgres-request@postgres.Berkeley.EDU"
If this fails, send mail to "post_questions@postgres.Berkeley.EDU" and
a human will deal with it. DO NOT post to the "postgres" mailing list.
==============================================================================
^ permalink raw reply [nested|flat] 6+ messages in thread
* Postgres security
1994-07-22 09:15 Postgres security Egan F. Ford <egan@cbs.cis.com>
@ 1994-07-22 18:40 ` Mark Costlow <cheeks@swcp.com>
1 sibling, 0 replies; 6+ messages in thread
From: Mark Costlow @ 1994-07-22 18:40 UTC (permalink / raw)
To: egan@cbs.cis.com; +Cc: legacy
On Fri, 22 Jul 94 9:15:44 MDT,
egan@cbs.cis.com (Egan F. Ford) said:
Egan> How can I protect my postgres 4.2 data from others on the net? I was
Egan> told the only way was to install kerberos. Is this still true with
Egan> the non-beta release of 4.2?
This was the only way that I found. If you find another one, I'd like to
hear about it.
Mark
--
Mark Costlow
Southwest Cyberport - Public Access Internet in Albuquerque, NM
Email: cheeks@swcp.com Voice: 505-271-0009
==============================================================================
To add/remove yourself to/from the POSTGRES mailing list: send mail with
the subject line ADD or DEL to "postgres-request@postgres.Berkeley.EDU"
If this fails, send mail to "post_questions@postgres.Berkeley.EDU" and
a human will deal with it. DO NOT post to the "postgres" mailing list.
==============================================================================
^ permalink raw reply [nested|flat] 6+ messages in thread
end of thread, other threads:[~1994-07-22 18:40 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz follow: Atom feed)
-- links below jump to the message on this page --
1991-11-07 16:18 Postgres security Paul B. Poh <ppoh@jade2.tufts.edu>
1991-11-07 10:54 `
1991-11-08 11:51 Re: Postgres security Tom Vijlbrief <tom@izf.tno.nl>
1994-07-22 09:15 Postgres security Egan F. Ford <egan@cbs.cis.com>
1994-07-22 17:59 ` Paul M. Aoki <aoki@CS.Berkeley.EDU>
1994-07-22 18:40 ` Mark Costlow <cheeks@swcp.com>
This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox