| From: | Vadim Mikheev <vadim(at)krs(dot)ru> |
|---|---|
| To: | Chris Hardie <chris(at)summersault(dot)com> |
| Cc: | pgsql-general(at)postgreSQL(dot)org |
| Subject: | Re: [GENERAL] Postgres CGI Security Problem |
| Date: | 1998-08-08 08:18:24 |
| Message-ID: | 35CC09D0.7550C8E@krs.ru |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
Chris Hardie wrote:
>
> The situation: I have one machine with general user access. Some users
> (including myself) own a postgres database. Some users (including myself)
> use postgres as a back-end for CGI applications, using the Postgres.pm
> module for Perl. This requires that user "nobody" (or www, or whomever)
> have read/write access to my database.
>
> The problem: While it's very handy that I can write CGI scripts that can
> read/write my database, it's a security problem. Other users` CGI scripts
> will also make use of the "nobody" identity to access the database, which
> means they can potentially read/write the data in my database if they
> wanted to.
>
> The fix: You tell me. It would seem to involve a "setuid" of sorts for
^^^^^^
> how the httpd process accesses the postgres database.
Apache has suexec program ro run user' CGI and SSI under
user' privileges...
Vadim
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Przemyslaw Bak | 1998-08-08 08:52:25 | Developers list |
| Previous Message | oxygen | 1998-08-08 03:29:16 | Re: [GENERAL] Postgres CGI Security Problem |