Re: Automating access grants
| От | David Fetter |
|---|---|
| Тема | Re: Automating access grants |
| Дата | |
| Msg-id | 20070315122443.GA11315@fetter.org обсуждение исходный текст |
| Ответ на | Re: Automating access grants (Douglas McNaught <doug@mcnaught.org>) |
| Список | pgsql-general |
On Thu, Mar 15, 2007 at 07:38:25AM -0400, Douglas McNaught wrote: > "Kynn Jones" <kynnjo@gmail.com> writes: > > > We have an in-house Postgres database that we would like to make > > publicly accessible via a password-less login (user: anonymous). > > (We already have a web front-end for this database, but we have > > had a lot of requests to allow programmatic access in a way that > > does not require scraping web pages; FWIW, web scraping of this > > site is already disallowed in our TOS.) > > Honestly, I would consider writing a web (i.e. SOAP or XML-RPC) > service for this purpose rather than using allowing direct access. > That lets you control what kind of queries can be run. It's more > work, but much cleaner and more secure. There are too many ways > even a read-only user can perform a DOS attack. Simple example: you allow reads on table foo. Attacker does: SELECT * FROM foo f1, foo f2, foo f3, foo f4, foo f5, foo f6, foo f7 , foo f8, foo f9, foo f10, foo f11, foo f12, foo f13, foo f14, foo f15, foo f16, foo f17, foo f18, foo f19, foo f20; Cheers, D -- David Fetter <david@fetter.org> http://fetter.org/ phone: +1 415 235 3778 AIM: dfetter666 Skype: davidfetter Remember to vote! Consider donating to PostgreSQL: http://www.postgresql.org/about/donate
В списке pgsql-general по дате отправления: