Re: PostgreSQL-Problem and Problem on Alioth

To: Debian Developers <debian-devel@lists.debian.org>
Cc: Karsten Hilbert <Karsten.Hilbert@gmx.net>
Subject: Re: PostgreSQL-Problem and Problem on Alioth
From: Andreas Tille <tillea@rki.de>
Date: Wed, 26 Jan 2005 08:36:33 +0100 (CET)
Message-id: <[🔎] Pine.LNX.4.61.0501260816580.17333@wr-linux02>
In-reply-to: <[🔎] 20050125233827.GA13219@seanius.net>
References: <[🔎] Pine.LNX.4.61.0501250941060.24005@wr-linux02> <[🔎] 20050125093837.GB11501@box79162.elkhouse.de> <[🔎] 20050125233827.GA13219@seanius.net>

On Tue, 25 Jan 2005, sean finney wrote:

if i'm understanding correctly, a security drawback of both these
methods is that any web application would effectively have r/w privileges
to every web app's database, right?

Yes.  There are some web applications (like zope) which do not run as this
user and might need a different database user, but in this case all Zope
applications would be able to access the database.

- Connect as $dbc_dbuser and use "password" authentication. ident
  makes not much sense since the database user has not necessarily
  a system user counterpart (if it has, then this would of course
  work). But if it hasn't, you need a pg_hba.conf entry.


thanks for the clarification on all this.  i'm also now spending some
time reading the fine manual (online postgres docs) about
identification/authentication, which will help clarify things a bit.

If you ask me, we could also do the following:

   1) Present a list of system users and ask the administrator which
      users should be able to access the data base.
   2) Add these users to a group <application> and create a database
      user for each selected user.
   3) Make sure that <application> can only be started by members of
      group <application> who are in consequence able to access the
      database via ident method.

Remark: I have just written code to add system users to a UNIX group for
        Custom Debian Distribution tools and I'm also using this for the
        GnuMed package.  Just the createuser call for PostgreSQL is missing.
Drawback: It works only for UNIX groups not for LDAP / NIS / whatever.

what would be helpful here is to hear from a larger number of
debian/postgres admins about how they have things set up, to get
an idea what the most common setups actually are.

I know that gforge is using some code to manipulate pg_hba.conf where
I have stolen some snippets.  IMHO it would make sense in any case to
provide such a feature in dbconfig-common to provide a standard way to
do such a security related procedure.

also, it looks like pg_hba.conf and pg_ident.conf both have some
kind of @include functionality, which might make messing with either
of the files moot.  i'll have to look more into these details...

If I'm not missleaded only pg_ident.conf has this feature.  I only know
of the feature that you can use an include list of users in pg_hba.conf
which I'm using in the GnuMed code, but this also requires to insert
lines of code into pg_hba.conf.

unnecessary in the common case. (I still need some time to read this
thread about the common database infrastructure *sigh*).


you can get the highlights on my p.d.o page :)

In fact

   http://people.debian.org/~seanius/policy/dbapp-policy.html
   http://people.debian.org/~seanius/policy/dbconfig-common.html

are really worth reading ... :)

Kind regards

         Andreas.

--
http://fam-tille.de

Reply to:

References:
- PostgreSQL-Problem and Problem on Alioth
  - From: Andreas Tille <tillea@rki.de>
- Re: PostgreSQL-Problem and Problem on Alioth
  - From: Martin Pitt <martin@piware.de>
- Re: PostgreSQL-Problem and Problem on Alioth
  - From: sean finney <seanius@debian.org>

Prev by Date: Re: More on icons for packages
Next by Date: Re: More on icons for packages
Previous by thread: Re: PostgreSQL-Problem and Problem on Alioth
Next by thread: Re: PostgreSQL-Problem and Problem on Alioth
Index(es):
- Date
- Thread