Re: maximum for database users?
| От | Bruno Wolff III |
|---|---|
| Тема | Re: maximum for database users? |
| Дата | |
| Msg-id | 20060204221211.GC15063@wolff.to обсуждение исходный текст |
| Ответ на | Re: maximum for database users? (Chris Browne <cbbrowne@acm.org>) |
| Список | pgsql-novice |
On Fri, Feb 03, 2006 at 19:15:37 -0500, Chris Browne <cbbrowne@acm.org> wrote: > > But it is fairly common for applications to not expose database users > to the application users. > > For instance, the SAP R/3 system (which doesn't use PostgreSQL; it > typically uses Oracle) generally runs as just one database user. And doing this in the wrong circumstances is a big security whole. For example, giving someone two tier access in Peoplesoft, gives away the whole system because the application is running in an untrusted environment and is connecting as a database user that full access to all of the Peoplesoft tables. > Likewise, it is common for a web application to have one or just a few > "database users;" think of Slashdot, where there is not really any > reason for each of the many thousands of users to be identifiable > inside the database. This isn't the same problem for use with web services, since typically the web server is running in a trusted environment. However, it can make it easier to escalate access in the event of a security breach.
В списке pgsql-novice по дате отправления: