On Fri, Jun 09, 2017 at 21:14:15 -0700,
Ken Tanzer <ken.tanzer@gmail.com> wrote:
>On Fri, Jun 9, 2017 at 5:38 PM, Bruno Wolff III <bruno@wolff.to> wrote:
>
>Seems to me they are separate issues. App currently has access to the
>password for accessing the DB. (Though I could change that to ident access
>and skip the password.) App 1) connects to the DB, 2) authenticates the
>user (within the app), then 3) proceeds to process input, query the DB,
>produce output. If step 2A becomes irrevocably changing to a site-specific
>role, then at least I know that everything that happens within 3 can't
>cross the limitations of per-site access. If someone can steal my password
>or break into my backend, that's a whole separate problem that already
>exists both now and in this new scenario.
In situations where a person has enough access to the app (e.g. it is a
binary running on their desktop) to do spurious role changes, they likely
have enough acces to hijack the database connection before privileges
are dropped.