[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: PostgreSQL-Problem and Problem on Alioth

On Tue, 25 Jan 2005, sean finney wrote:

if i'm understanding correctly, a security drawback of both these
methods is that any web application would effectively have r/w privileges
to every web app's database, right?
Yes.  There are some web applications (like zope) which do not run as this
user and might need a different database user, but in this case all Zope
applications would be able to access the database.

- Connect as $dbc_dbuser and use "password" authentication. ident
  makes not much sense since the database user has not necessarily
  a system user counterpart (if it has, then this would of course
  work). But if it hasn't, you need a pg_hba.conf entry.

thanks for the clarification on all this.  i'm also now spending some
time reading the fine manual (online postgres docs) about
identification/authentication, which will help clarify things a bit.
If you ask me, we could also do the following:

   1) Present a list of system users and ask the administrator which
      users should be able to access the data base.
   2) Add these users to a group <application> and create a database
      user for each selected user.
   3) Make sure that <application> can only be started by members of
      group <application> who are in consequence able to access the
      database via ident method.

Remark: I have just written code to add system users to a UNIX group for
        Custom Debian Distribution tools and I'm also using this for the
        GnuMed package.  Just the createuser call for PostgreSQL is missing.
Drawback: It works only for UNIX groups not for LDAP / NIS / whatever.

what would be helpful here is to hear from a larger number of
debian/postgres admins about how they have things set up, to get
an idea what the most common setups actually are.
I know that gforge is using some code to manipulate pg_hba.conf where
I have stolen some snippets.  IMHO it would make sense in any case to
provide such a feature in dbconfig-common to provide a standard way to
do such a security related procedure.

also, it looks like pg_hba.conf and pg_ident.conf both have some
kind of @include functionality, which might make messing with either
of the files moot.  i'll have to look more into these details...
If I'm not missleaded only pg_ident.conf has this feature.  I only know
of the feature that you can use an include list of users in pg_hba.conf
which I'm using in the GnuMed code, but this also requires to insert
lines of code into pg_hba.conf.

unnecessary in the common case. (I still need some time to read this
thread about the common database infrastructure *sigh*).

you can get the highlights on my p.d.o page :)
In fact


are really worth reading ... :)

Kind regards



Reply to: