Skip site navigation (1) Skip section navigation (2)

Re: Security Best Practices: Is This Reasonable?

From: Howard Eglowstein <howard(at)yankeescientific(dot)com>
To: Tom Browder <tom(dot)browder(at)gmail(dot)com>
Cc: "pgsql-novice(at)postgresql(dot)org" <pgsql-novice(at)postgresql(dot)org>
Subject: Re: Security Best Practices: Is This Reasonable?
Date: 2012-01-13 17:17:01
Message-ID: 12211F63-9430-4D83-9384-57BAEF18A9B0@yankeescientific.com (view raw or flat)
Thread:
Lists: pgsql-novice
We're doing something similar to allow dealers to access relevant parts of a table and not others. Using the Apache user name login works swell and if there's a security problem with it, we haven't bumped into it yet.

Howard 

Sent from my iPad (please disregard egg freckles)

On Jan 13, 2012, at 11:24 AM, Tom Browder <tom(dot)browder(at)gmail(dot)com> wrote:

> I would appreciate any critique of this security model I want to use
> for my planned web-accessible family database:
> 
> I have a working PostgreSQL running on a remote Linux web server
> running Apache 2.  I want to allow web access to a database but want
> to restrict row update to a row owner.
> 
> All access to the site is by SSL/TLS, and I use Apache htdigest
> passwords to control access to the directory containing the database
> Perl cgi scripts.
> 
> I plan to have every table have a field (called 'owner') which will be
> filled in by the accessing user's name when a new row is created (I
> will really use an integer key unique for each user).
> 
> The site user names and passwords will be the same as the database
> user names and passwords.
> 
> I plan to have user names identified through the CGI environment and
> then, for any attempted update of any row in any table, disallow it if
> the user and owner do not match.
> 
> Thanks for any suggestions.
> 
> Best regards,
> 
> -Tom
> 
> -- 
> Sent via pgsql-novice mailing list (pgsql-novice(at)postgresql(dot)org)
> To make changes to your subscription:
> http://www.postgresql.org/mailpref/pgsql-novice

In response to

Responses

pgsql-novice by date

Next:From: Tom BrowderDate: 2012-01-13 17:38:20
Subject: Re: Security Best Practices: Is This Reasonable?
Previous:From: Tom BrowderDate: 2012-01-13 16:24:16
Subject: Security Best Practices: Is This Reasonable?

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group