WARNING – Granting of psql/sqlplus executables to sudoers in Linux/Unix
I discovered this behavior accidentally during my project work recently. I needed psql access to a RHEL 6 system. However, the company policy enforces a minimum access policy (Well done!). Thus, my account was given a sudoer permission to only use psql executable. I needed to perform DBA tasks on this system.
Let me show you the issue.
[weishan]$ sudo su - [sudo] password for weishan: ユーザー user は'/bin/su -' を root として 上で実行することは許可されていません。すみません。 (This means user not allowed to execute su -) [weishan]$ tail -n 10 /var/log/messages tail: `messages' を 読み込み用でオープンできません: 許可がありません (This means access denied) [weishan]$ sudo /home/postgres/pgsql/bin/psql -h localhost -p 5432 -U postgres postgres [sudo] password for weishan: psql (9.2.4) Type "help" for help.
Looking at the output above, the sudoer was configured correctly! Now, let’s see..
psql> \! [root@gsdb03s log]# tail -n 5 /var/log/messages May 10 15:34:47 snmpd: Connection from UDP: [ip]:63484->[ip] May 10 15:34:47 snmpd: Connection from UDP: [ip]:63484-> [ip] May 10 15:34:47 snmpd: Connection from UDP: [ip]:63484-> [ip] May 10 15:34:47 snmpd: Connection from UDP: [ip]:63484-> [ip]
From the above, we can show that it is technically possible for unintended DBAs to get root access even if you did not allow them access explicitly. Thus, we should be mindful while granting psql or sqlplus executable.
I did not test this on sqlplus, but the behaviour should be the same since both psql and sqlplus allow the user to “temporarily” exit the console to OS level access.
Moral of the story:
- Do not configure sudo for user to access psql/sqlplus to login to postgres as root user directly.
- Configure sudo to only allow weishan user to “sudo su -” to postgres user.
- Configure logging for sudo access