Re: Securing a db app - RFC - Mailing list pgsql-general

From
Subject Re: Securing a db app - RFC
Date
Msg-id 64713.216.238.112.88.1086179307.squirrel@$HOSTNAME
Whole thread Raw
In response to Re: Securing a db app - RFC  (Shridhar Daithankar <shridhar@frodo.hserus.net>)
Responses Re: Securing a db app - RFC
List pgsql-general
> On Wednesday 02 June 2004 02:04, BARTKO Zoltan wrote:
>> I would appreciate anyone wiser than me to comment on the following:
>>
>> I am making an app for PostgreSQL (the server). The clients are
>> connecting through the same single user. ...
>>
>> If I want to access a function (like do this or that with data), I
>> use a stored function and pass the id# of the user plus all the
>> necessary things. First, I check if the person is authorized to carry
>> out the operation. if so, the operation is performed.
>>
>> There are users, who are administrators. Thus, they are allowed to do
>> anything.
>>
> You can probably use set session authorization. Here are some brief
> steps.
>
> 1. Convert all your users as postgresql database users


If he's going to do this, why bother with hard-coding a single user id
and password in the application -- why not have the user log in as their
defined Postgresql user, and let the data base handle all the security
and permission issues?


--Berend Tober




pgsql-general by date:

Previous
From: zhicheng wang
Date:
Subject: Re: after using pg_resetxlog, db lost
Next
From: Shridhar Daithankar
Date:
Subject: Re: Securing a db app - RFC