Re: [SQL] connecting with password - Mailing list pgsql-sql
| From | Eric McKeown |
|---|---|
| Subject | Re: [SQL] connecting with password |
| Date | |
| Msg-id | Pine.LNX.3.96.980911130613.8051B-100000@farout.palaver.net Whole thread Raw |
| In response to | Re: [SQL] connecting with password (darcy@druid.net (D'Arcy J.M. Cain)) |
| List | pgsql-sql |
On Thu, 10 Sep 1998, D'Arcy J.M. Cain wrote:
> Date: Thu, 10 Sep 1998 23:11:15 -0400 (EDT)
> From: "D'Arcy J.M. Cain" <darcy@druid.net>
> To: Eric McKeown <ericm@palaver.net>
> Cc: PGsql <pgsql-sql@postgreSQL.org>
> Subject: Re: [SQL] connecting with password
>
> Thus spake Eric McKeown
> > Is there any way to set up special password protections for a Postgres
> > database, so that I can force someone to present a username and password
> > when connecting from a PHP script? I've combed the docs for something on
> > this, and I may just be completely off base on the feasibility.
>
> What I do is run the page as the database owner (I run a separate Apache
> on a different port) and use the Apacher server password protections.
> Just remember to check who the remote user is every time you do any
> operation where the specific user is important. If you just need to
> make a general restriction on a database for a group then the protection
> in the config files (or .htaccess) should be fine.
I have no problems restricting access to pages where important db-related
things happen. I simply protect these pages using HTTP or PHP
authentication, and for now, that suffices to protect those pages that
perform db-sensitive operations from the "Bad Guys".
However, what I'm trying to do is this: I want to prevent users on my
system from writing PHP scripts on our local system that can connect to
any db and wipe out all the records in that database. Under the current
scheme, with PHP/Apache connecting to Postgres as nobody and nobody having
permissions on the tables in my database, anybody on the system could
write and install a script that would blow nobody-accessible database out
of the water.
So, on the PHP mailing list, I had seen it was possible to specify a
username and password when connecting to Postgres from Apache/PHP, and I'm
trying to figure out how to give users in my database passwords so that I
can quit giving nobody permissions on my dbs and start using passwords
instead. Does that make any sense? If I chown the db-connection files to
the uid of the web server and then make those files readable only by the
web server uid, then that will give me a much higher level of security.
Does that make any sense?? Does anyone know whether it's possible to set
up new users in Postgres databases and give them passwords for protection
purposes??
TIA for all input on this problem...
eric
>
> How you do this in PHP is up to you. I do it all in Python.
>
> --
> D'Arcy J.M. Cain <darcy@{druid|vex}.net> | Democracy is three wolves
> http://www.druid.net/darcy/ | and a sheep voting on
> +1 416 424 2871 (DoD#0082) (eNTP) | what's for dinner.
>
_______________________
Eric McKeown
ericm@palaver.net
http://www.palaver.net