On Sun, May  4, 2014 at 11:12:57AM -0400, Tom Lane wrote:
> Stephen Frost <sfr...@snowman.net> writes:
> > * Abhijit Menon-Sen (a...@2ndquadrant.com) wrote:
> >> 1. I wish it were possible to prevent even the superuser from disabling
> >> audit logging once it's enabled, so that if someone gained superuser
> >> access without authorisation, their actions would still be logged.
> >> But I don't think there's any way to do this.
> > Their actions should be logged up until they disable auditing and
> > hopefully those logs would be sent somewhere that they're unable to
> > destroy (eg: syslog).  Of course, we make that difficult by not
> > supporting log targets based on criteria (logging EVERYTHING to syslog
> > would suck).
> > I don't see a way to fix this, except to minimize the amount of things
> > requiring superuser to reduce the chances of it being compromised, which
> > is something I've been hoping to see happen for a long time.
> Prohibiting actions to the superuser is a fundamentally flawed concept.
> If you do that, you just end up having to invent a new "more super"
> kind of superuser who *can* do whatever it is that needs to be done.

We did create a "replication" role that could only read data, right?  Is
that similar?

  Bruce Momjian  <br...@momjian.us>        http://momjian.us
  EnterpriseDB                             http://enterprisedb.com

  + Everyone has their own god. +

Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:

Reply via email to