From: | Maarten Boekhold <maartenb(at)dutepp0(dot)et(dot)tudelft(dot)nl> |
---|---|
To: | Chris Hardie <chris(at)summersault(dot)com> |
Cc: | pgsql-general(at)postgreSQL(dot)org |
Subject: | Re: [GENERAL] Postgres CGI Security Problem |
Date: | 1998-08-08 09:04:25 |
Message-ID: | Pine.SUN.3.91.980808110254.20787B-100000@dutepp0.et.tudelft.nl |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-general |
On Sat, 8 Aug 1998, Vadim Mikheev wrote:
> Chris Hardie wrote:
> >
> > The situation: I have one machine with general user access. Some users
> > (including myself) own a postgres database. Some users (including myself)
> > use postgres as a back-end for CGI applications, using the Postgres.pm
> > module for Perl. This requires that user "nobody" (or www, or whomever)
> > have read/write access to my database.
> >
> > The problem: While it's very handy that I can write CGI scripts that can
> > read/write my database, it's a security problem. Other users` CGI scripts
> > will also make use of the "nobody" identity to access the database, which
> > means they can potentially read/write the data in my database if they
> > wanted to.
> >
> > The fix: You tell me. It would seem to involve a "setuid" of sorts for
> ^^^^^^
> > how the httpd process accesses the postgres database.
>
> Apache has suexec program ro run user' CGI and SSI under
> user' privileges...
And you could ofcourse always use password authenication for those
databases....
Maarten
ps. only problem is that those passwords have to be in your perl-script,
and that script has to be world-readable, unless you have a system that
supports ACL's, then you can set it only readable to user nobody or www
or whatever
_____________________________________________________________________________
| TU Delft, The Netherlands, Faculty of Information Technology and Systems |
| Department of Electrical Engineering |
| Computer Architecture and Digital Technique section |
| M(dot)Boekhold(at)et(dot)tudelft(dot)nl |
-----------------------------------------------------------------------------
From | Date | Subject | |
---|---|---|---|
Next Message | The Web Administrator | 1998-08-08 13:40:48 | Re: [GENERAL] Postgres CGI Security Problem |
Previous Message | Przemyslaw Bak | 1998-08-08 08:52:25 | Developers list |