[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: RFC: common database policy/infrastracture

On Mon, 2004-10-18 at 03:23, sean finney wrote:
> > Even if the server is on the local machine, I am opposed to having any
> > application package alter the database access policies.  This is OK for
> what exactly do you mean by altering access policies?  granting
> privileges to a new user?

As the postgresql package is delivered, it will only accept connections
where the database user name is the same as the system user name.  So,
when I am logged in as 'olly', I can only connect to PostgreSQL as the
database user 'olly'.  This means that web-based datbase applications
cannot work, because the connection is done by the system user
'www-data', but the user wants to run it as the database user 'olly';
that connection will be rejected.

In order to get a connection under those circumstances, the
authentication set-up for the database in question needs to be changed
to 'md5' (MD5-encrypted passwords).  This is done by altering

> for the admin password, i agree.  for the app_user password, i think
> most apps are storing this password in a cleartext file for the
> application to use (php web apps, for example).  that's my opinion,
> anyways.

That may differ per application.  I would argue that it is very bad
security in all circumstances.

Oliver Elphick                                          olly@lfix.co.uk
Isle of Wight                              http://www.lfix.co.uk/oliver
GPG: 1024D/A54310EA  92C8 39E7 280E 3631 3F0E  1EC0 5664 7A2F A543 10EA
     "Delight thyself also in the LORD; and he shall give 
      thee the desires of thine heart."          Psalms 37:4

Reply to: