On Sun, May 4, 2014 at 11:12:57AM -0400, Tom Lane wrote: > Stephen Frost <[email protected]> writes: > > * Abhijit Menon-Sen ([email protected]) wrote: > >> 1. I wish it were possible to prevent even the superuser from disabling > >> audit logging once it's enabled, so that if someone gained superuser > >> access without authorisation, their actions would still be logged. > >> But I don't think there's any way to do this. > > > Their actions should be logged up until they disable auditing and > > hopefully those logs would be sent somewhere that they're unable to > > destroy (eg: syslog). Of course, we make that difficult by not > > supporting log targets based on criteria (logging EVERYTHING to syslog > > would suck). > > > I don't see a way to fix this, except to minimize the amount of things > > requiring superuser to reduce the chances of it being compromised, which > > is something I've been hoping to see happen for a long time. > > Prohibiting actions to the superuser is a fundamentally flawed concept. > If you do that, you just end up having to invent a new "more super" > kind of superuser who *can* do whatever it is that needs to be done.
We did create a "replication" role that could only read data, right? Is that similar? -- Bruce Momjian <[email protected]> http://momjian.us EnterpriseDB http://enterprisedb.com + Everyone has their own god. + -- Sent via pgsql-hackers mailing list ([email protected]) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
