| From: | Alfred Perlstein <bright(at)wintelcom(dot)net> |
|---|---|
| To: | Jeff MacDonald <jeff(at)hub(dot)org> |
| Cc: | pgsql-general(at)hub(dot)org |
| Subject: | Re: [GENERAL] cgi with postgres |
| Date: | 2000-01-14 22:52:28 |
| Message-ID: | 20000114145228.F508@fw.wintelcom.net |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
* Jeff MacDonald <jeff(at)hub(dot)org> [000114 14:07] wrote:
> alfred, that seems like a very reasonable solution,
>
> in regard to the other chaps responce, i'm not worried
> about web users anyway, cause they can't see the perl
> source. it's users on the system i'd like to protect
> against.
I'm not sure what you mean, but there is a problem, unless you
execute the scripts as a user other than the default cgi user then
you may run into problems because then people can craft a cgi and
run it through the server to gain access to the 700 dir, you'll
either need some sort of setuid (to a special user, not root) or
use some sort of cgiwrapper.
-Alfred
>
> On Fri, 14 Jan 2000, Alfred Perlstein wrote:
>
> > * Jeff MacDonald <jeff(at)hub(dot)org> [000114 13:38] wrote:
> > > hey folks,
> > >
> > > this is a security issue i'd like to get some info
> > > on, i'm sure it's more with cgi than postgres, but
> > > heck.
> > >
> > > issue: how to secure cgi's that access postgres
> > >
> > > problem: passwords for postgres database are stored
> > > in plain text in scripts. (lets assume, perl,
> > > not a compiled language)
> > >
> > > points:
> > > make cgi dir 711
> > > big deal, they can get the name of the file
> > > from the web, and copy it.
> >
> > how about sourcing a conf file that's in a 700 dir?
> >
> > >
> > > set an obscure cgi script alias in apache
> > > big deal, they can read the cgi conf file.
> > >
> > > this is assuming they already have an account
> > > on the machine, something that cannot be ruled
> > > out.
> > >
> > > question in short: how to make perl accessing databases
> > > more secure, so any jack can't modify a database.
> > >
> > > thanks in advance.
> > >
> > > Jeff MacDonald
> > > jeff(at)hub(dot)org
> > >
> >
> > --
> > -Alfred Perlstein - [bright(at)wintelcom(dot)net|alfred(at)freebsd(dot)org]
> >
>
> Jeff MacDonald
> jeff(at)hub(dot)org
>
> ===================================================================
> So long as the Universe had a beginning, we can suppose it had a
> creator, but if the Universe is completly self contained , having
> no boundry or edge, it would neither be created nor destroyed
> It would simply be.
> ===================================================================
>
--
-Alfred Perlstein - [bright(at)wintelcom(dot)net|alfred(at)freebsd(dot)org]
| From | Date | Subject | |
|---|---|---|---|
| Next Message | moebius | 2000-01-14 23:04:56 | New To List |
| Previous Message | Ed Loehr | 2000-01-14 22:51:59 | [GENERAL] GRANT ALL ON * TO username? |