|
Hello folks,
First a question and then the rest:
Does the PostgreSQL log contain the stored function calls with
all parameters? Or is this something that could be set?
I would appreciate anyone wiser than me to comment on the
following:
I am making an app for PostgreSQL (the server). The clients
are connecting through the same single user. There is a model of the user
organization inside (position hierarchy), each person (virtual user) assigned a
position, positions have privileges assigned.
If I want to access a function (like do this or that with
data), I use a stored function and pass the id# of the user plus all the
necessary things. First, I check if the person is authorized to carry out
the operation. if so, the operation is performed.
There are users, who are administrators. Thus, they are
allowed to do anything.
My problem is the following: I can do a check for whether the
person requesting the operation is logged in (that means no dirty hacks with my
name if I am not logged in). But then anybody can find out the id# of an
administrator and use that to identify himself when asked for.
I thought about using electronic signatures or something
similar. That would mean sending the key of the users around when calling the
stored functions.
does the DB log contain the function calls with the parameters
of the function too? If not, then by using an SSL connection I could prevent
crackers from accessing the data.
Please feel free to comment, object, etc.
Thanks
Zoltan
|
- Re: [GENERAL] Securing a db app - RFC BARTKO Zoltan
- Re: [GENERAL] Securing a db app - RFC Shridhar Daithankar
- Re: [GENERAL] Securing a db app - RFC btober
- Re: [GENERAL] Securing a db app - RFC Shridhar Daithankar
