Postgres Pro
Downloads
Home   >   mailing lists

Re: [GENERAL] cgi with postgres - Mailing list pgsql-general

From Alfred Perlstein
Subject Re: [GENERAL] cgi with postgres
Date
Msg-id 20000114145228.F508@fw.wintelcom.net
Whole thread Raw
In response to Re: [GENERAL] cgi with postgres  (Jeff MacDonald <jeff@hub.org>)
List pgsql-general
Tree view 
* Jeff MacDonald <jeff@hub.org> [000114 14:07] wrote:
> alfred, that seems like a very reasonable solution,
>
> in regard to the other chaps responce, i'm not worried
> about web users anyway, cause they can't see the perl
> source. it's users on the system i'd like to protect
> against.

I'm not sure what you mean, but there is a problem, unless you
execute the scripts as a user other than the default cgi user then
you may run into problems because then people can craft a cgi and
run it through the server to gain access to the 700 dir, you'll
either need some sort of setuid (to a special user, not root) or
use some sort of cgiwrapper.

-Alfred

>
>  On Fri, 14 Jan 2000, Alfred Perlstein wrote:
>
> > * Jeff MacDonald <jeff@hub.org> [000114 13:38] wrote:
> > > hey folks,
> > >
> > > this is a security issue i'd like to get some info
> > > on, i'm sure it's more with cgi than postgres, but
> > > heck.
> > >
> > > issue: how to secure cgi's that access postgres
> > >
> > > problem: passwords for postgres database are stored
> > >       in plain text in scripts. (lets assume, perl,
> > >       not a compiled language)
> > >
> > > points:
> > >     make cgi dir 711
> > >     big deal, they can get the name of the file
> > >     from the web, and copy it.
> >
> > how about sourcing a conf file that's in a 700 dir?
> >
> > >
> > >     set an obscure cgi script alias in apache
> > >     big deal, they can read the cgi conf file.
> > >
> > >     this is assuming they already have an account
> > >     on the machine, something that cannot be ruled
> > >     out.
> > >
> > > question in short: how to make perl accessing databases
> > >     more secure, so any jack can't modify a database.
> > >
> > > thanks in advance.
> > >
> > > Jeff MacDonald
> > > jeff@hub.org
> > >
> >
> > --
> > -Alfred Perlstein - [bright@wintelcom.net|alfred@freebsd.org]
> >
>
> Jeff MacDonald
> jeff@hub.org
>
> ===================================================================
>  So long as the Universe had a beginning, we can suppose it had a
> creator, but if the Universe is completly self contained , having
> no boundry or edge, it would neither be created nor destroyed
>  It would simply be.
> ===================================================================
>

--
-Alfred Perlstein - [bright@wintelcom.net|alfred@freebsd.org]

pgsql-general by date:

Previous
From: rut
Date:
Subject: sql question
Next
From: Neil Burrows
Date:
Subject: More Rule creation problems (and nowhere near 8K)