Skip site navigation (1) Skip section navigation (2)

Re: hacker help: PHP-4.2.3 patch to allow restriction of

From: Gavin Sherry <swm(at)linuxworld(dot)com(dot)au>
To: Jim Mercer <jim(at)reptiles(dot)org>
Cc: pgsql-hackers(at)postgresql(dot)org
Subject: Re: hacker help: PHP-4.2.3 patch to allow restriction of
Date: 2002-09-27 02:06:43
Message-ID: Pine.LNX.4.21.0209271202580.5257-100000@linuxworld.com.au (view raw or flat)
Thread:
Lists: pgsql-hackers
On Thu, 26 Sep 2002, Jim Mercer wrote:

> On Fri, Sep 27, 2002 at 11:15:35AM +1000, Gavin Sherry wrote:
> > On Thu, 26 Sep 2002, Jim Mercer wrote:
> > > > I would think so, and IMHO, that's where pgsql access control
> > > > belongs, with pgsql.
> > 
> > I totally disagree. It is a language level restriction, not a database
> > level one, so why back it into Postgres? Just parse 'conninfo' when it is 
> > pg_(p)connect() and check it against the configuration setting.
> 
> which is effectively what my code does, except i was lazy, and i let the
> connection proceed, then check if PQdb() is in the auth list, and fail

Ahh yes. I meant to say this. No point being lazy when it comes to
security.

> maybe not _totally_ secure, but much moreso than nothing.
> 

I was basically just suggesting that its effect needs to be
documented. "This needs to be used in conjunction with other forms of
security...."

Gavin



In response to

Responses

pgsql-hackers by date

Next:From: Jim MercerDate: 2002-09-27 02:08:29
Subject: Re: hacker help: PHP-4.2.3 patch to allow restriction of database access
Previous:From: Jim MercerDate: 2002-09-27 01:49:54
Subject: Re: hacker help: PHP-4.2.3 patch to allow restriction of database access

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group