Hi!
sean finney [2005-01-25 18:38 -0500]:
> On Tue, Jan 25, 2005 at 10:38:37AM +0100, Martin Pitt wrote:
> > There are two common ways to achieve that:
> >
> > - Connect as "www-data". For this you need an appropriate PostgreSQL
> > user ("createuser www-data" as user postgres). Then you either make
> > www-data the owner of the database ("createdb -O www-data mydb") or
> > you set the owner to some application-specific PostgreSQL user and
> > only GRANT the necessary permissions to www-data (usually you need
> > table creation etc. only for package installation and can restrict
> > www-data permissions to SELECT/UPDATE).
>
> if i'm understanding correctly, a security drawback of both these
> methods is that any web application would effectively have r/w privileges
> to every web app's database, right?It does not make a difference whether you use the "owned by www-data" approach or use different owners with passwords. The webserver can read all scripts (_including_ the passwords) anyway, so regardless of how you do it, all your databases will be fair game to your web server. > > This solution has the advantage that you don't need to modify > > pg_hba.conf (since you can use "ident sameuser" authentication). > > which is certainly not to be overlooked. i think maybe a disclaimer > like "if you run multiple applications, this may present a security > risk" might be in order, but it should definitely be an option. See above :-) I still think owning the database by an application-specific user and granting the necessary permissions to www-data is an easy method, and it gives you the maximum amount of security you can expect from this use case (least privilege). > > - Connect as $dbc_dbuser and use "password" authentication. ident > > makes not much sense since the database user has not necessarily > > a system user counterpart (if it has, then this would of course > > work). But if it hasn't, you need a pg_hba.conf entry. Well, this is not _exactly_ right since you can map system users to database users in pg_ident.conf, but that would mean yet another conffile to touch. > also, it looks like pg_hba.conf and pg_ident.conf both have some > kind of @include functionality, which might make messing with either > of the files moot. i'll have to look more into these details... I think pg_hba.conf does not have this feature. However, if that would help and some kind of pg_hba.d/ structure would solve problems, I think it would not be that hard to add that feature for Debian. However, the general approach to these web applications wrt databases should be discussed, and a generally working solution should be found before I start hacking. :-) Martin -- Martin Pitt http://www.piware.de Ubuntu Developer http://www.ubuntulinux.org Debian GNU/Linux Developer http://www.debian.org
signature.asc
Description: Digital signature
