[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: PostgreSQL-Problem and Problem on Alioth


sean finney [2005-01-25 18:38 -0500]:
> On Tue, Jan 25, 2005 at 10:38:37AM +0100, Martin Pitt wrote:
> > There are two common ways to achieve that:
> > 
> > - Connect as "www-data". For this you need an appropriate PostgreSQL
> >   user ("createuser www-data" as user postgres). Then you either make
> >   www-data the owner of the database ("createdb -O www-data mydb") or
> >   you set the owner to some application-specific PostgreSQL user and
> >   only GRANT the necessary permissions to www-data (usually you need
> >   table creation etc. only for package installation and can restrict
> >   www-data permissions to SELECT/UPDATE).
> if i'm understanding correctly, a security drawback of both these
> methods is that any web application would effectively have r/w privileges
> to every web app's database, right?

It does not make a difference whether you use the "owned by www-data"
approach or use different owners with passwords. The webserver can
read all scripts (_including_ the passwords) anyway, so regardless of
how you do it, all your databases will be fair game to your web

> >   This solution has the advantage that you don't need to modify
> >   pg_hba.conf (since you can use "ident sameuser" authentication).
> which is certainly not to be overlooked.  i think maybe a disclaimer
> like "if you run multiple applications, this may present a security
> risk" might be in order, but it should definitely be an option.

See above :-) I still think owning the database by an
application-specific user and granting the necessary permissions to
www-data is an easy method, and it gives you the maximum amount of
security you can expect from this use case (least privilege).

> > - Connect as $dbc_dbuser and use "password" authentication. ident
> >   makes not much sense since the database user has not necessarily
> >   a system user counterpart (if it has, then this would of course
> >   work). But if it hasn't, you need a pg_hba.conf entry.

Well, this is not _exactly_ right since you can map system users to
database users in pg_ident.conf, but that would mean yet another
conffile to touch.

> also, it looks like pg_hba.conf and pg_ident.conf both have some
> kind of @include functionality, which might make messing with either
> of the files moot.  i'll have to look more into these details...

I think pg_hba.conf does not have this feature. However, if that would
help and some kind of pg_hba.d/ structure would solve problems, I
think it would not be that hard to add that feature for Debian.

However, the general approach to these web applications wrt
databases should be discussed, and a generally working solution should
be found before I start hacking. :-)


Martin Pitt                       http://www.piware.de
Ubuntu Developer            http://www.ubuntulinux.org
Debian GNU/Linux Developer       http://www.debian.org

Attachment: signature.asc
Description: Digital signature

Reply to: