Database security is addressed at several levels: Data base file protection. All files stored within the database are protected from reading by any account other than the Postgres superuser account. Connections from a client to the database server are, by default, allowed only via a local Unix socket, not via TCP/IP sockets. The backend must be started with the -i option to allow non-local clients to connect. Client connections can be restricted by IP address and/or user name via the pg_hba.conf file in PG_DATA. Client connections may be authenticated vi other external packages. Each user in Postgres is assigned a username and (optionally) a password. By default, users do not have write access to databases they did not create. Users may be assigned to groups, and table access may be restricted based on group privileges. Authentication is the process by which the backend server and postmaster ensure that the user requesting access to data is in fact who he/she claims to be. All users who invoke Postgres are checked against the contents of the pg_user class to ensure that they are authorized to do so. However, verification of the user's actual identity is performed in a variety of ways: From the user shell A backend server started from a user shell notes the user's (effective) user-id before performing a setuid to the user-id of user postgres. The effective user-id is used as the basis for access control checks. No other authentication is conducted. From the network If the Postgres system is built as distributed, access to the Internet TCP port of the postmaster process is available to anyone. The DBA configures the pg_hba.conf file in the PGDATA directory to specify what authentication system is to be used according to the host making the connection and which database it is connecting to. See pg_hba.conf(5) for a description of the authentication systems available. Of course, host-based authentication is not fool-proof in Unix, either. It is possible for determined intruders to also masquerade the origination host. Those security issues are beyond the scope of Postgres. Host-based access control is the name for the basic controls PostgreSQL exercises on what clients are allowed to access a database and how the users on those clients must authenticate themselves. Each database system contains a file named pg_hba.conf, in its PGDATA directory, which controls who can connect to each database. Every client accessing a database must be covered by one of the entries in pg_hba.conf. Otherwise all attempted connections from that client will be rejected with a "User authentication failed" error message. The general format of the pg_hba.conf file is of a set of records, one per line. Blank lines and lines beginning with a hash character ("#") are ignored. A record is made up of a number of fields which are separated by spaces and/or tabs. Connections from clients can be made using Unix domain sockets or Internet domain sockets (ie. TCP/IP). Connections made using Unix domain sockets are controlled using records of the following format: local database authentication method where database specifies the database that this record applies to. The value all specifies that it applies to all databases. authentication method specifies the method a user must use to authenticate themselves when connecting to that database using Unix domain sockets. The different methods are described below. Connections made using Internet domain sockets are controlled using records of the following format. host database TCP/IP address TCP/IP mask authentication method The TCP/IP address is logically anded to both the specified TCP/IP mask and the TCP/IP address of the connecting client. If the two resulting values are equal then the record is used for this connection. If a connection matches more than one record then the earliest one in the file is used. Both the TCP/IP address and the TCP/IP mask are specified in dotted decimal notation. If a connection fails to match any record then the reject authentication method is applied (see below). The following authentication methods are supported for both Unix and TCP/IP domain sockets: trust The connection is allowed unconditionally. reject The connection is rejected unconditionally. crypt The client is asked for a password for the user. This is sent encrypted (using crypt(3)) and compared against the password held in the pg_shadow table. If the passwords match, the connection is allowed. password The client is asked for a password for the user. This is sent in clear and compared against the password held in the pg_shadow table. If the passwords match, the connection is allowed. An optional password file may be specified after the password keyword which is used to match the supplied password rather than the pg_shadow table. See pg_passwd. The following authentication methods are supported for TCP/IP domain sockets only: krb4 Kerberos V4 is used to authenticate the user. krb5 Kerberos V5 is used to authenticate the user. ident The ident server on the client is used to authenticate the user (RFC 1413). An optional map name may be specified after the ident keyword which allows ident user names to be mapped onto Postgres user names. Maps are held in the file $PGDATA/pg_ident.conf. # Trust any connection via Unix domain sockets. local trust # Trust any connection via TCP/IP from this machine. host all 127.0.0.1 255.255.255.255 trust # We don't like this machine. host all 192.168.0.10 255.255.255.0 reject # This machine can't encrypt so we ask for passwords in clear. host all 192.168.0.3 255.255.255.0 password # The rest of this group of machines should provide encrypted passwords. host all 192.168.0.0 255.255.255.0 crypt To define a new user, run the createuser utility program. To assign a user or set of users to a new group, one must define the group itself, and assign users to that group. In Postgres these steps are not currently supported with a create group command. Instead, the groups are defined by inserting appropriate values into the pg_group system table, and then using the grant command to assign privileges to the group. Currently, there is no easy interface to set up user groups. You have to explicitly insert/update the pg_group table. For example: jolly=> insert into pg_group (groname, grosysid, grolist) jolly=> values ('posthackers', '1234', '{5443, 8261}'); INSERT 548224 jolly=> grant insert on foo to group posthackers; CHANGE jolly=> The fields in pg_group are: groname The group name. This a name and should be purely alphanumeric. Do not include underscores or other punctuation. grosysid The group id. This is an int4. This should be unique for each group. grolist The list of pg_user id's that belong in the group. This is an int4[]. Postgres provides mechanisms to allow users to limit the access to their data that is provided to other users. Database superusers Database super-users (i.e., users who have pg_user.usesuper set) silently bypass all of the access controls described below with two exceptions: manual system catalog updates are not permitted if the user does not have pg_user.usecatupd set, and destruction of system catalogs (or modification of their schemas) is never allowed. Access Privilege The use of access privilege to limit reading, writing and setting of rules on classes is covered in grant/revoke(l). Class removal and schema modification Commands that destroy or modify the structure of an existing class, such as alter, drop table, and drop index, only operate for the owner of the class. As mentioned above, these operations are never permitted on system catalogs. Functions and rules allow users to insert code into the backend server that other users may execute without knowing it. Hence, both mechanisms permit users to trojan horse others with relative impunity. The only real protection is tight control over who can define functions (e.g., write to relations with SQL fields) and rules. Audit trails and alerters on pg_class, pg_user and pg_group are also recommended. Functions written in any language except SQL run inside the backend server process with the permissions of the user postgres (the backend server runs with its real and effective user-id set to postgres. It is possible for users to change the server's internal data structures from inside of trusted functions. Hence, among many other things, such functions can circumvent any system access controls. This is an inherent problem with user-defined C functions. Like SQL functions, rules always run with the identity and permissions of the user who invoked the backend server. There are no plans to explicitly support encrypted data inside of Postgres (though there is nothing to prevent users from encrypting data within user-defined functions). There are no plans to explicitly support encrypted network connections, either, pending a total rewrite of the frontend/backend protocol. User names, group names and associated system identifiers (e.g., the contents of pg_user.usesysid) are assumed to be unique throughout a database. Unpredictable results may occur if they are not. From e-mail by Gene Selkov, Jr. written on 1999-09-08 in response to a question from Eric Marsden. One can use ssh to encrypt the network connection between clients and a Postgres server. Done properly, this should lead to an adequately secure network connection. The documentation for ssh provides most of the information to get started. Please refer to http://www.heimhardt.de/htdocs/ssh.html for better insight. A step-by-step explanation can be done in just two steps. A step-by-step explanation can be done in just two steps. Establish a tunnel to the backend machine, like this: ssh -L 3333:wit.mcs.anl.gov:5432 postgres@wit.mcs.anl.gov The first number in the -L argument, 3333, is the port number of your end of the tunnel. The second number, 5432, is the remote end of the tunnel -- the port number your backend is using. The name or the address in between the port numbers belongs to the server machine, as does the last argument to ssh that also includes the optional user name. Without the user name, ssh will try the name you are currently logged on as on the client machine. You can use any user name the server machine will accept, not necessarily those related to postgres. Now that you have a running ssh session, you can connect a postgres client to your local host at the port number you specified in the previous step. If it's psql, you will need another shell because the shell session you used in is now occupied with ssh. psql -h localhost -p 3333 -d mpw Note that you have to specify the -h argument to cause your client to use the TCP socket instead of the Unix socket. You can omit the port argument if you chose 5432 as your end of the tunnel.