Re: [GENERAL] Postgres CGI Security Problem

>

Another way to handle it is if you are using perl is to create a seperate user
(ie. Xdf83sr)or some other impossible to guess name, and have it in the actual
Perl Script as $<=<userid of the fake user> and then grant access to that user
rather than the 'nobody' or 'www' user..  Of course, using things like inetd to
prevent access from any other machines than from your own local network goes a
long way to handling ne'er do wells. Other wise if they get a copy of your passwd
file, they just have to try the names one at a time.
IP authentication at the postmaster level would be a much better solution, because
the web server inherently doesn't use passwds..

> > Chris Hardie wrote:
> > >
> > > The situation: I have one machine with general user access.  Some users
> > > (including myself) own a postgres database.  Some users (including myself)
> > > use postgres as a back-end for CGI applications, using the Postgres.pm
> > > module for Perl. This requires that user "nobody" (or www, or whomever)
> > > have read/write access to my database.
> > >
> > > The problem: While it's very handy that I can write CGI scripts that can
> > > read/write my database, it's a security problem.  Other users` CGI scripts
> > > will also make use of the "nobody" identity to access the database, which
> > > means they can potentially read/write the data in my database if they
> > > wanted to.
> >

--
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Michael - System Administrator              Working in Cheap Canadian Dollars
Unix Administration - WebSite Hosting - Network Services - Programming
Wizard Internet Services - TechnoWizard Computers - Wizard Tower TechnoServices
------------------------------------------------------------------------------
(604) 589-0037          Beautiful British Columbia, Canada
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++