| From: | Bruno Wolff III <bruno(at)wolff(dot)to> |
|---|---|
| To: | Chris Browne <cbbrowne(at)acm(dot)org> |
| Cc: | pgsql-novice(at)postgresql(dot)org |
| Subject: | Re: maximum for database users? |
| Date: | 2006-02-04 22:12:11 |
| Message-ID: | 20060204221211.GC15063@wolff.to |
| Views: | Whole Thread | Raw Message | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-novice |
On Fri, Feb 03, 2006 at 19:15:37 -0500,
Chris Browne <cbbrowne(at)acm(dot)org> wrote:
>
> But it is fairly common for applications to not expose database users
> to the application users.
>
> For instance, the SAP R/3 system (which doesn't use PostgreSQL; it
> typically uses Oracle) generally runs as just one database user.
And doing this in the wrong circumstances is a big security whole.
For example, giving someone two tier access in Peoplesoft, gives away the
whole system because the application is running in an untrusted environment
and is connecting as a database user that full access to all of the Peoplesoft
tables.
> Likewise, it is common for a web application to have one or just a few
> "database users;" think of Slashdot, where there is not really any
> reason for each of the many thousands of users to be identifiable
> inside the database.
This isn't the same problem for use with web services, since typically the
web server is running in a trusted environment. However, it can make it
easier to escalate access in the event of a security breach.
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Murat Tasan | 2006-02-04 22:20:44 | Re: function return type is a setof some column type |
| Previous Message | Bruno Wolff III | 2006-02-04 22:00:07 | Re: put text list into table form |