Home CVS Mailinglists Documentation Download
[Slony1-general] Security with slony
Roger Lucas roger
Tue Nov 22 13:54:46 PST 2005 
We are looking into Slony as the replication system for a small number of
machines (<30) spread across multiple locations.  Some of the locations are
co-location racks within ISPs so we are rather concerned about security.
Our working assumption is that at some point at least one of the machines
will become completely compromised and a malicious user will gain full root
access to it.  We can happily "write off" that machine (i.e. power it off
remotely) and continue to operate without it in the cluster until we are
able to rebuild it, but the concern is that the malicious user may be able
to corrupt databases on other machines having compromised just that one
machine in the network.

 

As I understand it, all slon daemons run with full super-user privileges and
the utility "slonik" is able to re-structure the entire replication system
from any node within the network.  This raises the possible scenario:

 

There are 4 nodes in the network - a master node and 3 slave nodes.

A malicious user manages to compromise a slave node.

This user then runs slonik on the compromised node to restructure the
network so that the compromised slave node is now the master and the old
master and slave nodes now replicate from the compromised node.

This user then deletes/corrupts the data on the compromised node and this
data is then propagated to all the other nodes in the network.

 

At this point, what started off as an isolated incident on one remote
machine has escalated to one which has taken down our entire system and will
require a lot of time and effort to restore.

 

Can anyone comment/clarify whether the above understanding is correct, and
also what preventative measures may be taken.  Comments such as "Don't allow
your boxes to get root-ed!" are not hugely helpful, however, unless the
author of the comment can provide a method of prevention that is 100%
guaranteed.

 

Thanks in advance, 

 

Roger

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://gborg.postgresql.org/pipermail/slony1-general/attachments/20051122/6097ccb1/attachment.html
More information about the Slony1-general mailing list

Content © 2007 Slony Development Group - Hosting provided by Command Prompt, Inc.