Re: [GENERAL] Postgres CGI Security Problem
От | The Web Administrator |
---|---|
Тема | Re: [GENERAL] Postgres CGI Security Problem |
Дата | |
Msg-id | 35CC5560.8D7A3B1E@wizard.ca обсуждение исходный текст |
Ответ на | Re: [GENERAL] Postgres CGI Security Problem (Maarten Boekhold <maartenb@dutepp0.et.tudelft.nl>) |
Список | pgsql-general |
> Another way to handle it is if you are using perl is to create a seperate user (ie. Xdf83sr)or some other impossible to guess name, and have it in the actual Perl Script as $<=<userid of the fake user> and then grant access to that user rather than the 'nobody' or 'www' user.. Of course, using things like inetd to prevent access from any other machines than from your own local network goes a long way to handling ne'er do wells. Other wise if they get a copy of your passwd file, they just have to try the names one at a time. IP authentication at the postmaster level would be a much better solution, because the web server inherently doesn't use passwds.. > > Chris Hardie wrote: > > > > > > The situation: I have one machine with general user access. Some users > > > (including myself) own a postgres database. Some users (including myself) > > > use postgres as a back-end for CGI applications, using the Postgres.pm > > > module for Perl. This requires that user "nobody" (or www, or whomever) > > > have read/write access to my database. > > > > > > The problem: While it's very handy that I can write CGI scripts that can > > > read/write my database, it's a security problem. Other users` CGI scripts > > > will also make use of the "nobody" identity to access the database, which > > > means they can potentially read/write the data in my database if they > > > wanted to. > > -- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Michael - System Administrator Working in Cheap Canadian Dollars Unix Administration - WebSite Hosting - Network Services - Programming Wizard Internet Services - TechnoWizard Computers - Wizard Tower TechnoServices ------------------------------------------------------------------------------ (604) 589-0037 Beautiful British Columbia, Canada ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
В списке pgsql-general по дате отправления: