Hi!
sean finney [2005-01-25 18:38 -0500]:
> On Tue, Jan 25, 2005 at 10:38:37AM +0100, Martin Pitt wrote:
> > There are two common ways to achieve that:
> >
> > - Connect as "www-data". For this you need an appropriate PostgreSQL
> > user ("createuser www-data" as user postgres). Then you either make
> > www-data the owner of the database ("createdb -O www-data mydb") or
> > you set the owner to some application-specific PostgreSQL user and
> > only GRANT the necessary permissions to www-data (usually you need
> > table creation etc. only for package installation and can restrict
> > www-data permissions to SELECT/UPDATE).
>
> if i'm understanding correctly, a security drawback of both these
> methods is that any web application would effectively have r/w privileges
> to every web app's database, right?
It does not make a difference whether you use the "owned by www-data"
approach or use different owners with passwords. The webserver can
read all scripts (_including_ the passwords) anyway, so regardless of
how you do it, all your databases will be fair game to your web
server.
> > This solution has the advantage that you don't need to modify
> > pg_hba.conf (since you can use "ident sameuser" authentication).
>
> which is certainly not to be overlooked. i think maybe a disclaimer
> like "if you run multiple applications, this may present a security
> risk" might be in order, but it should definitely be an option.
See above :-) I still think owning the database by an
application-specific user and granting the necessary permissions to
www-data is an easy method, and it gives you the maximum amount of
security you can expect from this use case (least privilege).
> > - Connect as $dbc_dbuser and use "password" authentication. ident
> > makes not much sense since the database user has not necessarily
> > a system user counterpart (if it has, then this would of course
> > work). But if it hasn't, you need a pg_hba.conf entry.
Well, this is not _exactly_ right since you can map system users to
database users in pg_ident.conf, but that would mean yet another
conffile to touch.
> also, it looks like pg_hba.conf and pg_ident.conf both have some
> kind of @include functionality, which might make messing with either
> of the files moot. i'll have to look more into these details...
I think pg_hba.conf does not have this feature. However, if that would
help and some kind of pg_hba.d/ structure would solve problems, I
think it would not be that hard to add that feature for Debian.
However, the general approach to these web applications wrt
databases should be discussed, and a generally working solution should
be found before I start hacking. :-)
Martin
--
Martin Pitt http://www.piware.de
Ubuntu Developer http://www.ubuntulinux.org
Debian GNU/Linux Developer http://www.debian.org
Attachment:
signature.asc
Description: Digital signature