Re: hacker help: PHP-4.2.3 patch to allow restriction of database access

Jim Mercer <jim(at)reptiles(dot)org> writes:
> as best i can understand, there is no way to get apach/php/pgsql configured
> (using "PostgreSQL's native access mappings") that would disallow php code
> in one virtual host from connecting to any database on the system.

Betraying my ignorance of PHP here: what does a server supporting
multiple virtual hosts look like from the database's end? Can we
tell the difference at all between connections initiated on behalf
of one virtual host from those initiated on behalf of another?

If we can tell 'em apart (for instance, if they differ in apparent
client IP address) then it'd make sense to put enforcement on the
database side. If we can't tell 'em apart, then we need some help
from the PHP interface code so that we can tell 'em apart.

Proceeding on the assumption that we do need some help ...

> this patch adds the config variable pgsql.allowed_dblist
> by default it has no value, meaning all databases are accessible
> it can contain a colon delimited list of databases that are accessible.

Seems like this hard-wires a rather narrow view of what sorts of
protection restrictions you need. Might I suggest instead that
an appropriate config variable would be a list of Postgres user ids
that the virtual host is allowed to connect as? Then the database's
usual protection mechanisms could be used to allow/disallow connection
to particular databases, if that's what you want. But this does more:
it lets different virtual hosts connect to the same database as
different users, and then access within that DB can be controlled using
the regular Postgres access-control mechanisms.

Essentially, the idea here is to ensure that the DB can tell virtual
hosts apart as different users.

regards, tom lane