Quick Links

hacker help: PHP-4.2.3 patch to allow restriction of database access

From:	Jim Mercer <jim(at)reptiles(dot)org>
To:	pgsql-hackers(at)postgresql(dot)org
Subject:	hacker help: PHP-4.2.3 patch to allow restriction of database access
Date:	2002-09-27 00:26:51
Message-ID:	20020927002651.GA50244@reptiles.org
Views:	Raw Message \| Whole Thread \| Download mbox \| Resend email
Thread:
Lists:	pgsql-hackers

the following was sent to the php developer's list, and they came back with:

> > Isn't it generally better (where "better" means more secure,
> > efficient, and easily maintained) to handle database access
> > control using PostgreSQL's native access mappings?
>
> I would think so, and IMHO, that's where pgsql access control
> belongs, with pgsql.

as best i can understand, there is no way to get apach/php/pgsql configured
(using "PostgreSQL's native access mappings") that would disallow php code
in one virtual host from connecting to any database on the system.

i understand that on a user level, we can control which tables they have
access to (disregarding that almost all access will be by the "web" user).

can anyone make some valid arguments for/against the patch in php?
or any suggestions on how to do it in pgsql?

----- Forwarded message from Jim Mercer <jim(at)reptiles(dot)org> -----

Date: Thu, 26 Sep 2002 14:54:45 -0400
From: Jim Mercer <jim(at)reptiles(dot)org>
To: pgsql-general(at)postgreSQL(dot)org
Subject: PHP-4.2.3 patch to allow restriction of database access

the patch is at:
ftp://ftp.reptiles.org/pub/php/php-pgsql.patch

this patch adds the config variable pgsql.allowed_dblist

by default it has no value, meaning all databases are accessible

it can contain a colon delimited list of databases that are accessible.

if the database accessed is not in the list, and the list is not null,
then an error is returned as if the database did not exist

this patch is relative to php-4.2.3

this function would be very useful to apache/virtual hosting.

i have tested with the following in my apache httpd.conf:

<Directory /home/www/htdocs/jim>
php_admin_value pgsql.allowed_dblist "jim:billing"
</Directory>

although it can be accomplished by other means, setting the variable to a
value of ":" effectively locks the code out of pgsql.

also, a special tag of "-all-" will allow access to all databases.

--
[ Jim Mercer jim(at)reptiles(dot)org +1 416 410-5633 ]
[ I want to live forever, or die trying. ]

----- End forwarded message -----

--
[ Jim Mercer jim(at)reptiles(dot)org +1 416 410-5633 ]
[ I want to live forever, or die trying. ]

Responses

Re: hacker help: PHP-4.2.3 patch to allow restriction of at 2002-09-27 01:15:35 from Gavin Sherry
Re: hacker help: PHP-4.2.3 patch to allow restriction of database access at 2002-09-27 03:42:44 from Tom Lane

Browse pgsql-hackers by date

	From	Date	Subject
Next Message	Magnus Naeslund(f)	2002-09-27 00:47:52	[ANNOUNCE] PQNotify java listen / notify hack
Previous Message	Joe Conway	2002-09-26 23:32:08	Re: About connectby() again