On Tue, Jan 23, 2007 at 09:01:56 -0800,
Richard Troy <rtroy@ScienceTools.com> wrote:
>
> On Mon, 22 Jan 2007, Bruno Wolff III wrote:
> > On Mon, Jan 22, 2007 at 20:25:48 +0100,
> > Bertram Scharpf <lists@bertram-scharpf.de> wrote:
> > >
> > > What I want to do is the following:
> > >
> > > 1. Login in from a program on a client as a particualar user.
> >
> > For this case you shouldn't need to do anything tricky as long as the user
> > is login in as themselves. Just prompt the user for their password and use it
> > when you open a connection to the database. If you are trying to have the
> > program login without the user being able to steal or borrow the credentials,
> > then you have a serious design flaw.
>
> I'm quite certain I missed the start of this thread, but just looking at
> the above paragraph as it stands:
>
> Design flaw? Perhaps an _incomplete_ design, but it's only a design flaw
> if not finished off properly. One way to do this cleanly is to use a
> program that has the suid bit set so it runs as the program's file owner
> (optionally group), and this program accesses the password and provides
> the database access.
You are correct. I over generalized. I should have added :and you don't control
the computer the user is running the client program on". In the case where you
do control the computer, setuid can be used to do things securely.