| From: | BARTKO, Zoltán <bartko(dot)zoltan(at)pobox(dot)sk> |
|---|---|
| To: | pgsql-general(at)postgresql(dot)org |
| Subject: | securing an information system |
| Date: | 2005-05-20 06:40:26 |
| Message-ID: | 200505200640.j4K6eQ6T003675@www3.pobox.sk |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
Hello folks,
Problem:
I would need some help with the system I am working on. It is an
information system built on PgSQL 8 and after searching all over the
net I found no function I could use to determine where the request to
the DB (select...) came from. I need it to prevent using fake user ID
numbers.
Premises:
All clients connect to the server via a single DB user. The users do
not know the passwords of each other, but they may know each other's
ID numbers. Any action in the system is carried out via access
functions implemented as stored procedures on the DB and the tables
are only accessible to select data, nothing more.
Possible exploit:
There are 2 users, A and B. B knows A's ID, while B is logged in, he
connects to the DB via psql and sends an API call identifying himself
as B. The system will accept it, because the origin of the request is
not known.
Question:
is there any way how to find out on the server where the client
request came from? If there was, I could ensure that one user connects
only via 1 IP address. Or is this a wrong approach? Should I better
use some key located at the computer of the user only visible to him
that would be sent everytime the client requests action from the
server via a secure connection?
Please enlighten me. Thanks in advance.
Zoltan
____________________________________
Najdi svojich spoluziakov!
http://www.spoluziak.sk
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Himanshu Baweja | 2005-05-20 06:40:42 | materialized view |
| Previous Message | Greg Stark | 2005-05-20 06:22:03 | Re: numeric precision when raising one numeric to another. |