From: | Bruno Wolff III <bruno(at)wolff(dot)to> |
---|---|
To: | Chris Browne <cbbrowne(at)acm(dot)org> |
Cc: | pgsql-novice(at)postgresql(dot)org |
Subject: | Re: maximum for database users? |
Date: | 2006-02-04 22:12:11 |
Message-ID: | 20060204221211.GC15063@wolff.to |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-novice |
On Fri, Feb 03, 2006 at 19:15:37 -0500,
Chris Browne <cbbrowne(at)acm(dot)org> wrote:
>
> But it is fairly common for applications to not expose database users
> to the application users.
>
> For instance, the SAP R/3 system (which doesn't use PostgreSQL; it
> typically uses Oracle) generally runs as just one database user.
And doing this in the wrong circumstances is a big security whole.
For example, giving someone two tier access in Peoplesoft, gives away the
whole system because the application is running in an untrusted environment
and is connecting as a database user that full access to all of the Peoplesoft
tables.
> Likewise, it is common for a web application to have one or just a few
> "database users;" think of Slashdot, where there is not really any
> reason for each of the many thousands of users to be identifiable
> inside the database.
This isn't the same problem for use with web services, since typically the
web server is running in a trusted environment. However, it can make it
easier to escalate access in the event of a security breach.
From | Date | Subject | |
---|---|---|---|
Next Message | Murat Tasan | 2006-02-04 22:20:44 | Re: function return type is a setof some column type |
Previous Message | Bruno Wolff III | 2006-02-04 22:00:07 | Re: put text list into table form |