From Fedora Project Wiki
m (→PostgreSQL: Typos) |
(→PostgreSQL: Clarify DB owners as user admins) |
||
| Line 54: | Line 54: | ||
Generally preferred practices that go beyond the above standard: | Generally preferred practices that go beyond the above standard: | ||
# The database user (typically an application or process ID, but possibly an interactive ID) should have a lower privilege level than the database owner. In particular, the database user should not have the ability to CREATE or DROP anything. | # The database user (typically an application or process ID, but possibly an interactive ID) should have a lower privilege level than the database owner. In particular, the database user should not have the ability to CREATE or DROP anything. | ||
# The database owner should have a lower privilege level than the system or superuser. The superuser is not subject to any privilege checks. Therefore it should be used only sparingly or never. Database owners may create users and assign passwords | # The database owner should have a lower privilege level than the system or superuser. The superuser is not subject to any privilege checks. Therefore it should be used only sparingly or never. Database owners, instead of superusers, may create users and assign passwords. | ||
Unfortunately, in PostgreSQL, not all superuser tasks can be delegated to database owners, because ''postgres'' owns all the schema tables in all the databases. It therefore makes little sense to give DB owners the ability to create databases. Depending on the installation, DB owners may create roles, although that capability is not included in this recommendation. Note that ''usage'' access to the ''public'' schema only allows resolution of symbolic names into object IDs (OIDs). The following is a suggested standard. | Unfortunately, in PostgreSQL, not all superuser tasks can be delegated to database owners, because ''postgres'' owns all the schema tables in all the databases. It therefore makes little sense to give DB owners the ability to create databases. Depending on the installation, DB owners may create roles, although that capability is not included in this recommendation. Note that ''usage'' access to the ''public'' schema only allows resolution of symbolic names into object IDs (OIDs). The following is a suggested standard. | ||
Revision as of 22:52, 27 March 2010
User Information
- Name: Allen Kistler
- Fedora Account: akistler
- Email: akistler AT fedoraproject DOT org
- Personal: http://akistler.fedorapeople.org/
- IRC: a-k on freenode (#fedora and #fedora-admin mostly)
- GPG key ID: 0D6A9E5B
- Location: Chicago, IL USA
I've been an RHL/Fedora user since RHL 7.0. I'm also an RHCE.
You can leave me messages on my Talk page, although I make no guarantee how soon I'll read it.
Contributions to Fedora
Member of the Fedora Infrastructure team.
I also find bugs and post them to Bugzilla, sometimes with patches.
Current Effort
Notes and Reference
PostgreSQL
The Database Infrastructure SOP includes the following steps to help secure a database:
- db2 $ sudo -u postgres createdb -E utf8 NEWDB
- db2 $ sudo -u postgres createuser -P -E NEWDBUSER
Password: <randomly generated password> - db2 $ sudo -u postgres psql NEWDB
- NEWDB=# revoke all on database NEWDB from public;
- NEWDB=# revoke all on schema public from public;
- NEWDB=# grant all on schema public to NEWDBUSER;
- NEWDB=# [grant other permissions to NEWDBUSER as appropriate for your app]
Generally preferred practices that go beyond the above standard:
- The database user (typically an application or process ID, but possibly an interactive ID) should have a lower privilege level than the database owner. In particular, the database user should not have the ability to CREATE or DROP anything.
- The database owner should have a lower privilege level than the system or superuser. The superuser is not subject to any privilege checks. Therefore it should be used only sparingly or never. Database owners, instead of superusers, may create users and assign passwords.
Unfortunately, in PostgreSQL, not all superuser tasks can be delegated to database owners, because postgres owns all the schema tables in all the databases. It therefore makes little sense to give DB owners the ability to create databases. Depending on the installation, DB owners may create roles, although that capability is not included in this recommendation. Note that usage access to the public schema only allows resolution of symbolic names into object IDs (OIDs). The following is a suggested standard.
- In pg_hba.conf
- local all postgres ident sameuser
- local all all md5
- As postgres (one-time setup)
- # create a non-superuser admin/owner and leave public usage on the public schema
- $ sudo -u postgres createuser -P -E -S -D -R dbowner
- $ sudo -u postgres psql
- =# revoke all privileges on database postgres from public;
- =# revoke create on schema public from public;
- (tbd) *** ??? grant all privileges on schema public to dbowner; ??? ***
- As postgres (once per database)
- # create the new db and leave public usage on the public schema
- $ sudo -u postgres createdb -O dbowner -E utf8 <newDB>
- $ sudo -u postgres createuser -P -E -S -D -R <newDB-user>
- $ sudo -u postgres psql
- =# revoke all privileges on database <newDB> from public;
- =# grant temp on database <newDB> to <newDB-user>; (if required)
- =# \c <newDB>
- =# revoke create on schema public from public;
- =# grant all privileges on schema public to dbowner; (tbd - ??? need to match in postgres ???)
- As dbowner (once per databse or as needed)
- $ psql -U dbowner <newDB>
- # Run whatever scripts to create the new schema and dictionary
- # Grant whatever Select/Insert/Update/Delete/etc. privileges to <newDB-user>