hacker help: PHP-4.2.3 patch to allow restriction of database access
| От | Jim Mercer |
|---|---|
| Тема | hacker help: PHP-4.2.3 patch to allow restriction of database access |
| Дата | |
| Msg-id | 20020927002651.GA50244@reptiles.org обсуждение исходный текст |
| Ответы |
Re: hacker help: PHP-4.2.3 patch to allow restriction of
Re: hacker help: PHP-4.2.3 patch to allow restriction of database access |
| Список | pgsql-hackers |
the following was sent to the php developer's list, and they came back with: > > Isn't it generally better (where "better" means more secure, > > efficient, and easily maintained) to handle database access > > control using PostgreSQL's native access mappings? > > I would think so, and IMHO, that's where pgsql access control > belongs, with pgsql. as best i can understand, there is no way to get apach/php/pgsql configured (using "PostgreSQL's native access mappings") that would disallow php code in one virtual host from connecting to any database on the system. i understand that on a user level, we can control which tables they have access to (disregarding that almost all access will be by the "web" user). can anyone make some valid arguments for/against the patch in php? or any suggestions on how to do it in pgsql? ----- Forwarded message from Jim Mercer <jim@reptiles.org> ----- Date: Thu, 26 Sep 2002 14:54:45 -0400 From: Jim Mercer <jim@reptiles.org> To: pgsql-general@postgreSQL.org Subject: PHP-4.2.3 patch to allow restriction of database access the patch is at: ftp://ftp.reptiles.org/pub/php/php-pgsql.patch this patch adds the config variable pgsql.allowed_dblist by default it has no value, meaning all databases are accessible it can contain a colon delimited list of databases that are accessible. if the database accessed is not in the list, and the list is not null, then an error is returned as if the database did not exist this patch is relative to php-4.2.3 this function would be very useful to apache/virtual hosting. i have tested with the following in my apache httpd.conf: <Directory /home/www/htdocs/jim> php_admin_value pgsql.allowed_dblist "jim:billing" </Directory> although it can be accomplished by other means, setting the variable to a value of ":" effectively locks the code out of pgsql. also, a special tag of "-all-" will allow access to all databases. -- [ Jim Mercer jim@reptiles.org +1 416 410-5633 ] [ I want to live forever, or die trying. ] ----- End forwarded message ----- -- [ Jim Mercer jim@reptiles.org +1 416 410-5633 ] [ I want to live forever, or die trying. ]
В списке pgsql-hackers по дате отправления: