Re: Philosophical question

On Wed, Dec 14, 2011 at 4:32 AM, Andreas <maps(dot)on(at)gmx(dot)net> wrote:
> Hi,
>
> I asked elsewhere about the best way to store db credentials within a
> user-session of a web-app.
>
> It appeared that it was for everybody but me evident that instead of heaving
> a db-role+passwd for every user of an application it was better to have just
> 1 set of db-credentials for the application and recreate a user management
> within the app instead using the existing user handling of the dbms.

I prefer the db-role + password for a number of reasons including the
ability to link into various auth options of PostgreSQL.

Also it fits with my security strategy of drawing as narrow of a
security perimeter as possible and thus making things more defensible.

>
> That way the app checks the user's password as a md5 in some table and
> remembers "user is logged in" for later. The actual queries would be done
> with a common set of real db credentials.
>
> Pro:  Noone could bypass the app and use e.g. pgAdmin to access the DB
> instead of the app.

On the other hand, you can prevent this using the pg_hba.conf, and if
some user wants that permission, and has a legitimate reason for it,
the permissions might be already set up to a reasonably safe level
depending on what exactly is needed.

>
> Con:  A bug in the app could give anyone the access level of the app's
> credentials which might offer admin rights if such power is needed at least
> for some users.

Yes, the standard approach means the *application* has access to the
the sum of all permissions needed. This is true on hybrid methods
too, although hybrid methods have the benefit of not having all such
access at once.

I prefer to let PostgreSQL manage the user/passwords of my web apps.

Best Wishes,
Chris Travers