| From: | Chris Hardie <chris(at)summersault(dot)com> |
|---|---|
| To: | pgsql-general(at)postgresql(dot)org |
| Subject: | Postgres CGI Security Problem |
| Date: | 1998-08-08 00:49:58 |
| Message-ID: | Pine.NEB.4.02.9808071944400.7035-100000@nollie.summersault.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
The situation: I have one machine with general user access. Some users
(including myself) own a postgres database. Some users (including myself)
use postgres as a back-end for CGI applications, using the Postgres.pm
module for Perl. This requires that user "nobody" (or www, or whomever)
have read/write access to my database.
The problem: While it's very handy that I can write CGI scripts that can
read/write my database, it's a security problem. Other users` CGI scripts
will also make use of the "nobody" identity to access the database, which
means they can potentially read/write the data in my database if they
wanted to.
The fix: You tell me. It would seem to involve a "setuid" of sorts for
how the httpd process accesses the postgres database.
Any help much appreciated!
Chris
---------------------------------------------
Chris Hardie chris(at)summersault(dot)com
http://www.summersault.com/chris
vincendum est
---------------------------------------------
| From | Date | Subject | |
|---|---|---|---|
| Next Message | D'Arcy J.M. Cain | 1998-08-08 03:09:32 | Re: [GENERAL] Postgres CGI Security Problem |
| Previous Message | David Ben-Yaacov | 1998-08-07 13:25:10 | Re: [GENERAL] Design |