hacker help: PHP-4.2.3 patch to allow restriction of database access

Поиск
Список
Период
Сортировка
От Jim Mercer
Тема hacker help: PHP-4.2.3 patch to allow restriction of database access
Дата
Msg-id 20020927002651.GA50244@reptiles.org
обсуждение исходный текст
Ответы Re: hacker help: PHP-4.2.3 patch to allow restriction of  (Gavin Sherry <swm@linuxworld.com.au>)
Re: hacker help: PHP-4.2.3 patch to allow restriction of database access  (Tom Lane <tgl@sss.pgh.pa.us>)
Список pgsql-hackers
Дерево обсуждения 
the following was sent to the php developer's list, and they came back with:

> > Isn't it generally better (where "better" means more secure,
> > efficient, and easily maintained) to handle database access
> > control using PostgreSQL's native access mappings?
>
> I would think so, and IMHO, that's where pgsql access control
> belongs, with pgsql.

as best i can understand, there is no way to get apach/php/pgsql configured
(using "PostgreSQL's native access mappings") that would disallow php code
in one virtual host from connecting to any database on the system.

i understand that on a user level, we can control which tables they have
access to (disregarding that almost all access will be by the "web" user).

can anyone make some valid arguments for/against the patch in php?
or any suggestions on how to do it in pgsql?

----- Forwarded message from Jim Mercer <jim@reptiles.org> -----

Date: Thu, 26 Sep 2002 14:54:45 -0400
From: Jim Mercer <jim@reptiles.org>
To: pgsql-general@postgreSQL.org
Subject: PHP-4.2.3 patch to allow restriction of database access


the patch is at:
ftp://ftp.reptiles.org/pub/php/php-pgsql.patch

this patch adds the config variable pgsql.allowed_dblist

by default it has no value, meaning all databases are accessible

it can contain a colon delimited list of databases that are accessible.

if the database accessed is not in the list, and the list is not null,
then an error is returned as if the database did not exist

this patch is relative to php-4.2.3

this function would be very useful to apache/virtual hosting.

i have tested with the following in my apache httpd.conf:

<Directory /home/www/htdocs/jim>   php_admin_value pgsql.allowed_dblist    "jim:billing"
</Directory>

although it can be accomplished by other means, setting the variable to a
value of ":" effectively locks the code out of pgsql.

also, a special tag of "-all-" will allow access to all databases.

-- 
[ Jim Mercer        jim@reptiles.org         +1 416 410-5633 ]
[          I want to live forever, or die trying.            ]

----- End forwarded message -----

-- 
[ Jim Mercer        jim@reptiles.org         +1 416 410-5633 ]
[          I want to live forever, or die trying.            ]

В списке pgsql-hackers по дате отправления:

Предыдущее
От: Joe Conway
Дата:
Сообщение: Re: About connectby() again
Следующее
От: "Magnus Naeslund(f)"
Дата:
Сообщение: [ANNOUNCE] PQNotify java listen / notify hack