Home > mailing lists

Re: [GENERAL] Limiting DB access by role after initial connection? - Mailing list pgsql-general

From	Bruno Wolff III
Subject	Re: [GENERAL] Limiting DB access by role after initial connection?
Date	June 10, 2017 06:38:43
Msg-id	20170610003843.GA10159@wolff.to Whole thread Raw
In response to	[GENERAL] Limiting DB access by role after initial connection? (Ken Tanzer <ken.tanzer@gmail.com>)
Responses	Re: [GENERAL] Limiting DB access by role after initial connection? (Ken Tanzer <ken.tanzer@gmail.com>)
List	pgsql-general

Tree view

On Thu, Jun 08, 2017 at 22:37:34 -0700,
  Ken Tanzer <ken.tanzer@gmail.com> wrote:
>
>My approach was to have the initial connection made by the owner, and then
>after successfully authenticating the user, to switch to the role of the
>site they belong to.  After investigation, this still seems feasible but
>imperfect.  Specifically, I thought it would be possible to configure such
>that after changing to a more restricted role, it would not be possible to
>change back.  But after seeing this thread (

How are you keeping the credentials of the owner from being compromised? It
seems if you are worried about role changing, adversaries will likely also
be in a position to steal the owner's credentials or hijack the connection
before privileges are dropped.

pgsql-general by date:

From: armand pirvu
Date: 10 June 2017, 04:46:26
Subject: Re: [GENERAL] Vacuum and state_change

From: Steven Grimm
Date: 10 June 2017, 09:37:09
Subject: [GENERAL] Inconsistent performance with LIKE and bind variable on long-lived connection

Re: [GENERAL] Limiting DB access by role after initial connection? - Mailing list pgsql-general

Previous

Next