Re: [GENERAL] Limiting DB access by role after initial connection?

On Fri, Jun 09, 2017 at 21:14:15 -0700,
 Ken Tanzer <ken.tanzer@gmail.com> wrote:

On Fri, Jun 9, 2017 at 5:38 PM, Bruno Wolff III <bruno@wolff.to> wrote:

Seems to me they are separate issues.   App currently has access to the
password for accessing the DB.  (Though I could change that to ident access
and skip the password.)  App 1) connects to the DB, 2) authenticates the
user (within the app), then 3) proceeds to process input, query the DB,
produce output.  If step 2A becomes irrevocably changing to a site-specific
role, then at least I know that everything that happens within 3 can't
cross the limitations of per-site access.  If someone can steal my password
or break into my backend, that's a whole separate problem that already
exists both now and in this new scenario.

In situations where a person has enough access to the app (e.g. it is a binary running on their desktop) to do spurious role changes, they likely have enough acces to hijack the database connection before privileges are dropped.