Hello folks,
First a question and then the rest:
Does the PostgreSQL log contain the stored function calls with all parameters? Or is this something that could be set?
I would appreciate anyone wiser than me to comment on the following:
I am making an app for PostgreSQL (the server). The clients are connecting through the same single user. There is a model of the user organization inside (position hierarchy), each person (virtual user) assigned a position, positions have privileges assigned.
If I want to access a function (like do this or that with data), I use a stored function and pass the id# of the user plus all the necessary things. First, I check if the person is authorized to carry out the operation. if so, the operation is performed.
There are users, who are administrators. Thus, they are allowed to do anything.
My problem is the following: I can do a check for whether the person requesting the operation is logged in (that means no dirty hacks with my name if I am not logged in). But then anybody can find out the id# of an administrator and use that to identify himself when asked for.
I thought about using electronic signatures or something similar. That would mean sending the key of the users around when calling the stored functions.
does the DB log contain the function calls with the parameters of the function too? If not, then by using an SSL connection I could prevent crackers from accessing the data.
Please feel free to comment, object, etc.
Thanks
Zoltan
4  1223 
On Wednesday 02 June 2004 02:04, BARTKO Zoltan wrote: I would appreciate anyone wiser than me to comment on the following:
I am making an app for PostgreSQL (the server). The clients are connecting
through the same single user. There is a model of the user organization
inside (position hierarchy), each person (virtual user) assigned a
position, positions have privileges assigned.
If I want to access a function (like do this or that with data), I use a
stored function and pass the id# of the user plus all the necessary things.
First, I check if the person is authorized to carry out the operation. if
so, the operation is performed.
There are users, who are administrators. Thus, they are allowed to do
anything.
My problem is the following: I can do a check for whether the person
requesting the operation is logged in (that means no dirty hacks with my
name if I am not logged in). But then anybody can find out the id# of an
administrator and use that to identify himself when asked for.
You can probably use set session authorization. Here are some brief steps.
1. Convert all your users as postgresql database users
2. Always login from app. to postgresql as superuser
3. While doing anything on behalf of a user, use set session authorization to
switch identity.
4. Grant appropriate permissions on postgresql object to each user/group
5. Let postgresql handle the dirty work of access checking.
Of course you have to make sure that the user does not issue a set session
authorization in any ways. It might be made to happen if you don't escape
user supplied data appropriately..
does the DB log contain the function calls with the parameters of the
function too? If not, then by using an SSL connection I could prevent
crackers from accessing the data.
Turn on statement logging and see if that suffices your purpose.
HTH
Shridhar
---------------------------(end of broadcast)---------------------------
TIP 7: don't forget to increase your free space map settings On Wednesday 02 June 2004 02:04, BARTKO Zoltan wrote: I would appreciate anyone wiser than me to comment on the following:
I am making an app for PostgreSQL (the server). The clients are
connecting through the same single user. ...
If I want to access a function (like do this or that with data), I
use a stored function and pass the id# of the user plus all the
necessary things. First, I check if the person is authorized to carry
out the operation. if so, the operation is performed.
There are users, who are administrators. Thus, they are allowed to do
anything.
You can probably use set session authorization. Here are some brief
steps.
1. Convert all your users as postgresql database users
If he's going to do this, why bother with hard-coding a single user id
and password in the application -- why not have the user log in as their
defined Postgresql user, and let the data base handle all the security
and permission issues?
--Berend Tober
---------------------------(end of broadcast)---------------------------
TIP 5: Have you checked our extensive FAQ? http://www.postgresql.org/docs/faqs/FAQ.html
On Wednesday 02 June 2004 17:58, bt****@computer.org wrote: You can probably use set session authorization. Here are some brief
steps.
1. Convert all your users as postgresql database users
If he's going to do this, why bother with hard-coding a single user id
and password in the application -- why not have the user log in as their
defined Postgresql user, and let the data base handle all the security
and permission issues?
In that case he can not use connection pooling. Thats all. Otherwise there is
no need for single user id.
Shridhar
---------------------------(end of broadcast)---------------------------
TIP 9: the planner will ignore your desire to choose an index scan if your
joining column's datatypes do not match
Berend, Shridhar, et al.,
see lower
----- Original Message -----
From: <bt****@computer.org>
To: <sh******@frodo.hserus.net>
Cc: <ba***********@pobox.sk>; <pg***********@postgresql.org>
Sent: Wednesday, June 02, 2004 2:28 PM
Subject: Re: [GENERAL] Securing a db app - RFC On Wednesday 02 June 2004 02:04, BARTKO Zoltan wrote: I would appreciate anyone wiser than me to comment on the following:
I am making an app for PostgreSQL (the server). The clients are
connecting through the same single user. ...
If I want to access a function (like do this or that with data), I
use a stored function and pass the id# of the user plus all the
necessary things. First, I check if the person is authorized to carry
out the operation. if so, the operation is performed.
There are users, who are administrators. Thus, they are allowed to do
anything.
You can probably use set session authorization. Here are some brief
steps.
1. Convert all your users as postgresql database users
If he's going to do this, why bother with hard-coding a single user id
and password in the application -- why not have the user log in as their
defined Postgresql user, and let the data base handle all the security
and permission issues?
Now my problem is that I have audit trails in the DB. I need to make it so
that the admin would just revive a deleted user any time the he wishes to do
so. Tell me if my comprehension is limited.
Thanks
Zoltan
---------------------------(end of broadcast)---------------------------
TIP 8: explain analyze is your friend This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics
by: David McNab |
last post by:
Hi,
I'm writing a web app framework which stores pickles in client cookies.
The obvious security risk is that some 5cr1p7 X1ddi35 will inevitably try
tampering with the cookie and malforming...
|
by: Bruno Desthuilliers |
last post by:
Hi everyone !
Could someone point me to infos about securing python for use as CGI or
mod_python for a shared hosting environnement ?
I searched google, but did not find anything specific :(
...
|
by: atl-jcd |
last post by:
Does anyone have a HTML or PDF copy of the old Al Stevens article:
"Passing the C++ Test: Securing success in an interview" from Dr. Dobbs
Journal
(I know I can get it from the DDJ site if I...
|
by: byrocat |
last post by:
I'm chasing after a documetn that was available on one of the Microsoft
websites that was titled somethign like "MS SQL Server Best Practices"
and detailed a nyumber of best practices about...
|
by: James |
last post by:
What's the best way of securing online databases and web services? At present I am using a database password, which of course is not hard-coded into the web service, but this means re-submitting it...
|
by: Susan Bricker |
last post by:
Greetings. I am looking for some advice on making a database secure.
By secure, I mean that I want only certain people to have write access
to the database and I want the updates to be permitted...
|
by: Wm. Scott Miller |
last post by:
Hello all!
We are building applications here and have hashing algorithms to secure
secrets (e.g passwords) by producing one way hashes. Now, I've read alot
and I've followed most of the advice...
|
by: Mark Goosen |
last post by:
Hi ive installed wse 2.0 SP3 and was running throught the demo downlaoded on
the Securing the Username Token with WSE 2.0 page the Securing the Username
Token with WSE 2.0.
Im spose to change...
|
by: KJ |
last post by:
Hello All,
I have to secure my first real B2B web service. Could you please
provide some guidance as to which method of security I should use. One
caveat is that we will not be using SSL on the...
|
by: Les Desser |
last post by:
In article
<fcebdacd-2bd8-4d07-93a8-8b69d3452f3e@s50g2000hsb.googlegroups.com>, The
Frog <Mr.Frog.to.you@googlemail.comMon, 14 Apr 2008 00:45:10 writes
Not sure if I quite follow that.
1....
|
by: Charles Arthur |
last post by:
How do i turn on java script on a villaon, callus and itel keypad mobile phone
|
by: emmanuelkatto |
last post by:
Hi All, I am Emmanuel katto from Uganda. I want to ask what challenges you've faced while migrating a website to cloud.
Please let me know.
Thanks!
Emmanuel
|
by: BarryA |
last post by:
What are the essential steps and strategies outlined in the Data Structures and Algorithms (DSA) roadmap for aspiring data scientists? How can individuals effectively utilize this roadmap to progress...
|
by: nemocccc |
last post by:
hello, everyone, I want to develop a software for my android phone for daily needs, any suggestions?
|
by: Sonnysonu |
last post by:
This is the data of csv file
1 2 3
1 2 3
1 2 3
1 2 3
2 3
2 3
3
the lengths should be different i have to store the data by column-wise with in the specific length.
suppose the i have to...
|
by: Hystou |
last post by:
There are some requirements for setting up RAID:
1. The motherboard and BIOS support RAID configuration.
2. The motherboard has 2 or more available SATA protocol SSD/HDD slots (including MSATA, M.2...
|
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven...
|
by: Hystou |
last post by:
Overview:
Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows...
|
by: tracyyun |
last post by:
Dear forum friends,
With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each...
| |
