Re: Best practice? Web application: single PostgreSQL - Mailing list pgsql-general

From Chris Travers
Subject Re: Best practice? Web application: single PostgreSQL
Date
Msg-id 011e01c3da76$bb8afcb0$dd44053d@winxp
Whole thread Raw
In response to Best practice? Web application: single PostgreSQL user vs. multiple users  ("Keith G. Murphy" <keithmur@mindspring.com>)
Responses Re: Best practice? Web application: single PostgreSQL  ("Keith C. Perry" <netadmin@vcsn.com>)
List pgsql-general
> I do #1- most connections are not persistent though I have done those
> before as well.  Security-wise I'm been reviewing the pros and cons
> of this and so far I really can't make much of an argument for #2.
> Just the opposite in fact.  The one thing I will be doing though,
> for more security, is create a special webuser for that client.
>

My concern with connection pooling is that the application itself must run
with permission to do anything that any user may do in the application.  If
you have a way of using postgresql native accounts, you can actually force
the application to have no rights to the database at all unless the
credentials are supplied by a user.  The application then has NO rights to
anything that the user doesn't, and this may allow for better security.

The real drawback for multiple accounts is that each account needs to be
maintained.  In environments where this is an issue, I usually create
functions to do this so that my information does not get out of sync.
However, I can imagine this being a concern, security wise.

Best Wishes,
Chris Travers


pgsql-general by date:

Previous
From: "Chris Travers"
Date:
Subject: Re: Best practice? Web application: single PostgreSQL user vs. multiple users
Next
From: Tom Lane
Date:
Subject: Re: dump/restore problem