I've got a user with CREATEUSER privs. I've not granted that user and DB
specific privs but it can do what it will with non-public schemas... Is
there a user that can do SET SESSION AUTHORIZATION but does not have privs
otherwise?
Basically I want a login user that can then set session auth... to any other
user but otherwise has no privs. (Having createuser is acceptable.) I'm
looking into a way to give connection pooled access to a web site
(connections must have the same user/pw info to be pooled) but to then
enforce DB-level security. I do not want the account that the web container
uses to access the db to have any db-level privs.
(I.e., rather than the Unix "root" account, something more like VMS (now
Windows NT) user privs. VMS users had a "set priv" privilege which, of
course, could indirectly give the holder of that priv any other priv. But
only indirectly. It has some benefits.)
Thanks,
== Ezra Epstien 4 1507
"ezra epstein" <ee************ ***@prajnait.co m> writes: Basically I want a login user that can then set session auth... to any other user but otherwise has no privs.
You have not thought this through.
If user X can become any other user Y, then he can do anything that is
doable within the system. Pretending that he is not superuser is
pointless.
regards, tom lane
---------------------------(end of broadcast)---------------------------
TIP 5: Have you checked our extensive FAQ? http://www.postgresql.org/docs/faqs/FAQ.html
On Fri, Jan 02, 2004 at 07:18:45 -0800,
ezra epstein <ee************ ***@prajnait.co m> wrote: I've got a user with CREATEUSER privs. I've not granted that user and DB specific privs but it can do what it will with non-public schemas... Is there a user that can do SET SESSION AUTHORIZATION but does not have privs otherwise?
Basically I want a login user that can then set session auth... to any other user but otherwise has no privs. (Having createuser is acceptable.) I'm looking into a way to give connection pooled access to a web site (connections must have the same user/pw info to be pooled) but to then enforce DB-level security. I do not want the account that the web container uses to access the db to have any db-level privs.
If the web server and the DB server are the same machine or the web server
machine runs an identd service that you can trust, then you can do what you
want using ident authentication. The ident map file doesn't have an "all"
keyword, so you will need to update it as you add users.
(I.e., rather than the Unix "root" account, something more like VMS (now Windows NT) user privs. VMS users had a "set priv" privilege which, of course, could indirectly give the holder of that priv any other priv. But only indirectly. It has some benefits.)
VMS' set priv feature wasn't well designed (at least in early versions of VMS).
You didn't need to reauthenticate to elevate your privileges, so you still
had to be VERY careful when running other people's programs as they would
have access to your elevated privileges.
---------------------------(end of broadcast)---------------------------
TIP 1: subscribe and unsubscribe commands go to ma*******@postg resql.org
"Tom Lane" <tg*@sss.pgh.pa .us> wrote in message
news:65******** *****@sss.pgh.p a.us... "ezra epstein" <ee************ ***@prajnait.co m> writes: Basically I want a login user that can then set session auth... to any
other user but otherwise has no privs.
You have not thought this through.
If user X can become any other user Y, then he can do anything that is doable within the system. Pretending that he is not superuser is pointless.
regards, tom lane
I know, I know.... It's like I want something that just isn't possible. I
want good DB-level security in the app without requiring the overhead of
per-userid login: so connection pools can work. The app could be careful
with super user... but it is probably better to just go the ordinary route
of an app account with enough privs to do everything and then have the
app/servlet container manage security.
Thanks,
== EE
On Sat, Dec 06, 2003 at 22:33:00 -0800,
Ezra Epstein <sf******@prajn ait.com> wrote: Thank you Bruno for the informative reply.
I'm not sure how ident solves this. I would like the session to run as the actual user (via set session authorization) so that that user's actual privs are enforced. But I want the connection to be shared: so it cannot be per login (username/pw combo). I'm not up on ident enough to see the fit. Any pointers would be most welcome.
I was wrong about this being useful in your situation. SET SESSION
AUTHORIZATION doesn't reauthenticate, it only allows you to switch
to a new user if you originally were connected as a superuser.
Ident authentication would only be useful if you could close and then
reopen the connection. This could be useful if the overhead of doing
this wasn't a concern.
---------------------------(end of broadcast)---------------------------
TIP 3: if posting/reading through Usenet, please send an appropriate
subscribe-nomail command to ma*******@postg resql.org so that your
message can get through to the mailing list cleanly This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics |
by: MLH |
last post by:
A97: If I create a new user with CreateUser Method, is she
automatically a member of Users group? Or, do I have to
append her to that group?
|
by: Portman |
last post by:
I've used the Membership classes in an ASP.NET 2.0 application to create an
application that interfaces with an older SQL Server 2000 database.
Everything is working except the following...
Like many websites, users can sign up by filling in a form. Because we're
interacting with other databases, I eschewed the CreateUserWizard control and
wrote my own logic programmatically, making use of the
Membership.CreateUser() method.
...
|
by: VB Programmer |
last post by:
I am getting this error: error BC30456: 'CreateUser' is not a member of
'Membership'.
What does that mean? Here's my code. It seems correct (no squigglies,
etc...)
' store it in db
Dim result As System.Web.Security.MembershipCreateStatus
Try
Dim newUser As MembershipUser =
Membership.CreateUser(Me.txtUsername.Text, Me.txtPassword.Text,
|
by: Fossie |
last post by:
Hi,
I need to check that someone signing up is listed in an xml file. I am
using a customer membership provider for Access and trying to integrate
the xml check into that. Am I on the right track? The code below runs
but it results in "Your account was not created. Please try again."
It's obviously not picking up username and comparing it.
code.vb
' MembershipProvider.CreateUser
|
by: Dabbler |
last post by:
Can the CreateUserWizard control be used by an administrator, e.g. someone
setting up membership users but not the end user?
Thanks.
| |
by: John |
last post by:
Hi
I am using the membership createuser method but need to find the error when
one arise. I am using the below code;
Public Function CreateUser(ByVal Username As String, ByVal Password As
String, ByVal Email As String, ByRef ErrMsg As String) As Boolean
Try
Membership.CreateUser(Username, Password, Email)
CreateUser = True
|
by: JackBlack |
last post by:
Hi, all. Still trying to track down what privileges are necessary to allow
a Windows XP/Pro SP2+ (appropriate .Net framework installed) workstation to
execute a stand-alone VB.Net (2k5) application on a domain drive from a
domain account. The domain accounts are NOT adminisrator, and the
stand-alone app runs fine from the local drive in a folder with sufficient
privs. Setting those same privs on a domain folder does not work.
Any...
|
by: Jonathan Wood |
last post by:
In my application, new accounts must be created by an administrator--users
will not create their own. Ideally, the user could then log on and specify
their own password question and answer, and the administrator doesn't even
know what that question and answer is.
I thought I could do this since Membership.CreateUser() includes an overload
that does not include question and answer arguments. However, when I use it,
I get the error...
|
by: David Hearn |
last post by:
(Apologies if this is not the appropriate group)
I'm trying to use an external USRobotics USB modem (Model 5633B) in
Vista - and talk to it via AT commands from my C# application (using
VS2008 + .Net 2.0). Downloaded the Vista drivers, and it comes up as
COM12. I also have a built-in modem in this laptop (COM3).
I started off using CRT4 (old terminal app like Hyperterm) and can open
and use both the modems, sending AT commands to...
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main usage, and What is the difference between ONU and Router. Let’s take a closer look !
Part I. Meaning of...
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it.
First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...
| |
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed.
This is as boiled down as I can make it.
Here is my compilation command:
g++-12 -std=c++20 -Wnarrowing bit_field.cpp
Here is the code in...
|
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth.
The Art of Business Website Design
Your website is...
|
by: Hystou |
last post by:
Overview:
Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...
|
by: agi2029 |
last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own....
Now, this would greatly impact the work of software developers. The idea...
|
by: conductexam |
last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one.
At the time of converting from word file to html my equations which are in the word document file was convert into image.
Globals.ThisAddIn.Application.ActiveDocument.Select();...
|
by: muto222 |
last post by:
How can i add a mobile payment intergratation into php mysql website.
| |
by: bsmnconsultancy |
last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...
| |