how? is there some kernel patch to completely to enable you to deny access to root? Tino Wildenhain pointed out SELinux has a feature like that.
Rick Gigger wrote: > But why do they need access to the files in the file system? Why not > put them on the local box but don't give them permissions to edit the > pg_hba file? They should still be able to connect. > > On Feb 9, 2006, at 5:56 PM, Q Beukes wrote: > >> I did consider that, but the software we use (which again uses >> postgresql) >> atm only supports local connection to the database. >> >> I am the database admin, the other admins just manage stuff like user >> accounts, >> checking logs, etc... >> >> Unfortunately there is no other way to set it up, and like I mentioned >> government security is not required. >> >> I did however statically code the pg_hba.conf file into pg binaries. >> >> The only way I found to access the db now would be to replace the >> binary >> and >> possibly sniffing traffic. But we're not worried about that. They >> not really >> criminally minded people. >> >> thx for everyones help anyway ;> >> >> >> korry wrote: >> >>>> Why would you not simply set this up on a seperate machine to >>>> which only >>>> the trusted admins had access? Most data centers I am familiar >>>> with use >>>> single purpose machines anyway. If someone is trusted as root on your >>>> box they can screw you no matter what you do. Pretending otherwise is >>>> just folly. >>>> >>>> >>> >>> Agreed - that would be a much better (easier and more secure) >>> solution where >>> practical. >>> >>> -- Korry >>> >>> ---------------------------(end of >>> broadcast)--------------------------- >>> TIP 3: Have you checked our extensive FAQ? >>> >>> http://www.postgresql.org/docs/faq >>> >>> >>> >> >> >> ---------------------------(end of >> broadcast)--------------------------- >> TIP 4: Have you searched our list archives? >> >> http://archives.postgresql.org >> > > > ---------------------------(end of broadcast)--------------------------- > TIP 2: Don't 'kill -9' the postmaster > ---------------------------(end of broadcast)--------------------------- TIP 5: don't forget to increase your free space map settings
