Re: RFC: common database policy/infrastracture
On Mon, 2004-10-18 at 03:23, sean finney wrote:
...
> > Even if the server is on the local machine, I am opposed to having any
> > application package alter the database access policies. This is OK for
>
> what exactly do you mean by altering access policies? granting
> privileges to a new user?
As the postgresql package is delivered, it will only accept connections
where the database user name is the same as the system user name. So,
when I am logged in as 'olly', I can only connect to PostgreSQL as the
database user 'olly'. This means that web-based datbase applications
cannot work, because the connection is done by the system user
'www-data', but the user wants to run it as the database user 'olly';
that connection will be rejected.
In order to get a connection under those circumstances, the
authentication set-up for the database in question needs to be changed
to 'md5' (MD5-encrypted passwords). This is done by altering
/etc/postgresql/pg_hba.conf.
...
> for the admin password, i agree. for the app_user password, i think
> most apps are storing this password in a cleartext file for the
> application to use (php web apps, for example). that's my opinion,
> anyways.
That may differ per application. I would argue that it is very bad
security in all circumstances.
--
Oliver Elphick olly@lfix.co.uk
Isle of Wight http://www.lfix.co.uk/oliver
GPG: 1024D/A54310EA 92C8 39E7 280E 3631 3F0E 1EC0 5664 7A2F A543 10EA
========================================
"Delight thyself also in the LORD; and he shall give
thee the desires of thine heart." Psalms 37:4
Reply to: