Re: PostgreSQL-Problem and Problem on Alioth
On Tue, 25 Jan 2005, sean finney wrote:
if i'm understanding correctly, a security drawback of both these
methods is that any web application would effectively have r/w privileges
to every web app's database, right?
Yes. There are some web applications (like zope) which do not run as this
user and might need a different database user, but in this case all Zope
applications would be able to access the database.
- Connect as $dbc_dbuser and use "password" authentication. ident
makes not much sense since the database user has not necessarily
a system user counterpart (if it has, then this would of course
work). But if it hasn't, you need a pg_hba.conf entry.
thanks for the clarification on all this. i'm also now spending some
time reading the fine manual (online postgres docs) about
identification/authentication, which will help clarify things a bit.
If you ask me, we could also do the following:
1) Present a list of system users and ask the administrator which
users should be able to access the data base.
2) Add these users to a group <application> and create a database
user for each selected user.
3) Make sure that <application> can only be started by members of
group <application> who are in consequence able to access the
database via ident method.
Remark: I have just written code to add system users to a UNIX group for
Custom Debian Distribution tools and I'm also using this for the
GnuMed package. Just the createuser call for PostgreSQL is missing.
Drawback: It works only for UNIX groups not for LDAP / NIS / whatever.
what would be helpful here is to hear from a larger number of
debian/postgres admins about how they have things set up, to get
an idea what the most common setups actually are.
I know that gforge is using some code to manipulate pg_hba.conf where
I have stolen some snippets. IMHO it would make sense in any case to
provide such a feature in dbconfig-common to provide a standard way to
do such a security related procedure.
also, it looks like pg_hba.conf and pg_ident.conf both have some
kind of @include functionality, which might make messing with either
of the files moot. i'll have to look more into these details...
If I'm not missleaded only pg_ident.conf has this feature. I only know
of the feature that you can use an include list of users in pg_hba.conf
which I'm using in the GnuMed code, but this also requires to insert
lines of code into pg_hba.conf.
unnecessary in the common case. (I still need some time to read this
thread about the common database infrastructure *sigh*).
you can get the highlights on my p.d.o page :)
In fact
http://people.debian.org/~seanius/policy/dbapp-policy.html
http://people.debian.org/~seanius/policy/dbconfig-common.html
are really worth reading ... :)
Kind regards
Andreas.
--
http://fam-tille.de
Reply to: