Re: [GENERAL] Postgres CGI Security Problem

Chris Hardie wrote:
>
> The situation: I have one machine with general user access.  Some users
> (including myself) own a postgres database.  Some users (including myself)
> use postgres as a back-end for CGI applications, using the Postgres.pm
> module for Perl. This requires that user "nobody" (or www, or whomever)
> have read/write access to my database.
>
> The problem: While it's very handy that I can write CGI scripts that can
> read/write my database, it's a security problem.  Other users` CGI scripts
> will also make use of the "nobody" identity to access the database, which
> means they can potentially read/write the data in my database if they
> wanted to.
>
> The fix: You tell me.  It would seem to involve a "setuid" of sorts for
                                                     ^^^^^^
> how the httpd process accesses the postgres database.

Apache has suexec program ro run user' CGI and SSI under
user' privileges...

Vadim