My desktop app includes a postgres database and a front app. I need the db to be accessed only by my front app. The credentials of this user are going to reside in the front app binaries.
I realized it's possible for anyone to use createuser.exe with -s to create a superuser. After that, it would be enough to create a db with createdb.exe, connect to it, and change ownership of my db to the new user, or do whatever.
The only effective way to avoid illegal access I know is to change template0 and template1 names, so that createdb.exe throws 'template0 not found'. That way anyone could create superusers, but no db's to connect to.
In addition, it would be needed to drop postgres database and postgres role, and execute these sentences:
REVOKE ALL ON DATABASE template1 FROM public;
REVOKE ALL ON SCHEMA public FROM public;
REVOKE ALL ON pg_user FROM public;
REVOKE ALL ON pg_roles FROM public;
REVOKE ALL ON pg_group FROM public;
REVOKE ALL ON pg_authid FROM public;
REVOKE ALL ON pg_auth_members FROM public;
REVOKE ALL ON pg_database FROM public;
REVOKE ALL ON pg_tablespace FROM public;
REVOKE ALL ON pg_settings FROM public;
Can I do something else?
Best Answer
It is not necessary to break your database to make it secure.
Just configure
pg_hba.confto make sure that nobody except the operating system userpostgrescan log in, and restrict login to that account.There is no way to protect the database from an administrative user who can change operating system passwords and override file permissions. Don't even try.