Chris Hardie wrote:
>
> The situation: I have one machine with general user access. Some users
> (including myself) own a postgres database. Some users (including myself)
> use postgres as a back-end for CGI applications, using the Postgres.pm
> module for Perl. This requires that user "nobody" (or www, or whomever)
> have read/write access to my database.
>
> The problem: While it's very handy that I can write CGI scripts that can
> read/write my database, it's a security problem. Other users` CGI scripts
> will also make use of the "nobody" identity to access the database, which
> means they can potentially read/write the data in my database if they
> wanted to.
>
> The fix: You tell me. It would seem to involve a "setuid" of sorts for
^^^^^^
> how the httpd process accesses the postgres database.
Apache has suexec program ro run user' CGI and SSI under
user' privileges...
Vadim
