| From: | Bruno Wolff III <bruno(at)wolff(dot)to> |
|---|---|
| To: | BARTKO, Zoltán <bartko(dot)zoltan(at)pobox(dot)sk> |
| Cc: | pgsql-general(at)postgresql(dot)org |
| Subject: | Re: securing an information system |
| Date: | 2005-05-20 12:17:23 |
| Message-ID: | 20050520121723.GA17521@wolff.to |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
On Fri, May 20, 2005 at 08:40:26 +0200,
"BARTKO, Zoltán" <bartko(dot)zoltan(at)pobox(dot)sk> wrote:
> Hello folks,
>
> Problem:
>
> I would need some help with the system I am working on. It is an
> information system built on PgSQL 8 and after searching all over the
> net I found no function I could use to determine where the request to
> the DB (select...) came from. I need it to prevent using fake user ID
> numbers.
The 8.1 TODO indicates such information will be saved. I don't know if
there will be a predfined function to retrieve the information, but if
not you will be able to write your own in C.
> Premises:
>
> All clients connect to the server via a single DB user. The users do
> not know the passwords of each other, but they may know each other's
> ID numbers. Any action in the system is carried out via access
> functions implemented as stored procedures on the DB and the tables
> are only accessible to select data, nothing more.
My suggestion would be to have everyone use their own username. You
are effectively maintaining this information anyway, so I wouldn't
expect it to be much harder to maintain normal postgres users instead
of or in addition to your current ids.
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Patrick.FICHE | 2005-05-20 12:17:31 | Execution shell commands from Function |
| Previous Message | Neil Conway | 2005-05-20 11:45:11 | Re: guids / bytea and index use ? |