From: | Howard Eglowstein <howard(at)yankeescientific(dot)com> |
---|---|
To: | Tom Browder <tom(dot)browder(at)gmail(dot)com> |
Cc: | "pgsql-novice(at)postgresql(dot)org" <pgsql-novice(at)postgresql(dot)org> |
Subject: | Re: Security Best Practices: Is This Reasonable? |
Date: | 2012-01-13 17:17:01 |
Message-ID: | 12211F63-9430-4D83-9384-57BAEF18A9B0@yankeescientific.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-novice |
We're doing something similar to allow dealers to access relevant parts of a table and not others. Using the Apache user name login works swell and if there's a security problem with it, we haven't bumped into it yet.
Howard
Sent from my iPad (please disregard egg freckles)
On Jan 13, 2012, at 11:24 AM, Tom Browder <tom(dot)browder(at)gmail(dot)com> wrote:
> I would appreciate any critique of this security model I want to use
> for my planned web-accessible family database:
>
> I have a working PostgreSQL running on a remote Linux web server
> running Apache 2. I want to allow web access to a database but want
> to restrict row update to a row owner.
>
> All access to the site is by SSL/TLS, and I use Apache htdigest
> passwords to control access to the directory containing the database
> Perl cgi scripts.
>
> I plan to have every table have a field (called 'owner') which will be
> filled in by the accessing user's name when a new row is created (I
> will really use an integer key unique for each user).
>
> The site user names and passwords will be the same as the database
> user names and passwords.
>
> I plan to have user names identified through the CGI environment and
> then, for any attempted update of any row in any table, disallow it if
> the user and owner do not match.
>
> Thanks for any suggestions.
>
> Best regards,
>
> -Tom
>
> --
> Sent via pgsql-novice mailing list (pgsql-novice(at)postgresql(dot)org)
> To make changes to your subscription:
> http://www.postgresql.org/mailpref/pgsql-novice
From | Date | Subject | |
---|---|---|---|
Next Message | Tom Browder | 2012-01-13 17:38:20 | Re: Security Best Practices: Is This Reasonable? |
Previous Message | Tom Browder | 2012-01-13 16:24:16 | Security Best Practices: Is This Reasonable? |