Re: securing an information system

From: Bruno Wolff III <bruno(at)wolff(dot)to>
To: BARTKO, Zoltán <bartko(dot)zoltan(at)pobox(dot)sk>
Cc: pgsql-general(at)postgresql(dot)org
Subject: Re: securing an information system
Date: 2005-05-20 12:17:23
Message-ID: 20050520121723.GA17521@wolff.to
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-general

On Fri, May 20, 2005 at 08:40:26 +0200,
"BARTKO, Zoltán" <bartko(dot)zoltan(at)pobox(dot)sk> wrote:
> Hello folks,
>
> Problem:
>
> I would need some help with the system I am working on. It is an
> information system built on PgSQL 8 and after searching all over the
> net I found no function I could use to determine where the request to
> the DB (select...) came from. I need it to prevent using fake user ID
> numbers.

The 8.1 TODO indicates such information will be saved. I don't know if
there will be a predfined function to retrieve the information, but if
not you will be able to write your own in C.

> Premises:
>
> All clients connect to the server via a single DB user. The users do
> not know the passwords of each other, but they may know each other's
> ID numbers. Any action in the system is carried out via access
> functions implemented as stored procedures on the DB and the tables
> are only accessible to select data, nothing more.

My suggestion would be to have everyone use their own username. You
are effectively maintaining this information anyway, so I wouldn't
expect it to be much harder to maintain normal postgres users instead
of or in addition to your current ids.

In response to

Browse pgsql-general by date

  From Date Subject
Next Message Patrick.FICHE 2005-05-20 12:17:31 Execution shell commands from Function
Previous Message Neil Conway 2005-05-20 11:45:11 Re: guids / bytea and index use ?