Make Evergreen services default to a non-Pg superuser
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| Evergreen |
Confirmed
|
Wishlist
|
Unassigned | ||
Bug Description
Currently Evergreen's services connect to the database using a PostgreSQL superuser account. This increases the risk of damage if an SQL injection is found and exploited.
It would be better if the services instead used an account that had lesser privileges. In particular, such an account would be able to:
- retrieve and update data from all tables
- invoke most, but not necessarily all, stored procedures defined by Evergreen
What it would not be able to do includes:
- DDL, with the possible exception of creating specific temporary tables
- Invoke stored procedures that are purely concerned with managing Evergreen schema updates
While this would better control access to the database, there would be operational tradeoffs:
- looking for and adjusting code that (needlessly) assumes the the DB user is a superuser
- ensuring that access privileges for the new account are seamlessly updated during upgrades
- minimizing the effort needed by the Evergreen sysadmin to transition to the new restricted account, especially in the face of any local schema adjustments
| information type: | Public → Public Security |
| Jason Stephenson (jstephenson) wrote | #1 |
| Changed in evergreen: | |
| status: | New → Confirmed |
Set this to confirmed because I agree that is should be on our road map for future development.