Re: [GENERAL] Postgres CGI Security Problem
| От | Maarten Boekhold |
|---|---|
| Тема | Re: [GENERAL] Postgres CGI Security Problem |
| Дата | |
| Msg-id | Pine.SUN.3.91.980808224401.25540A-100000@dutepp0.et.tudelft.nl обсуждение исходный текст |
| Ответ на | Re: [GENERAL] Postgres CGI Security Problem (Chris Hardie <chris@summersault.com>) |
| Список | pgsql-general |
On Sat, 8 Aug 1998, Chris Hardie wrote:
>
> The Apache suexec solution sounds like my quickest fix yet.
>
> The solutions involving setting up a httpd server running as a user that
> can access my particular database still leaves my users` databases open to
> write by other users, and seems kind of messy (but effective).
>
> Several folks mentioned supplying a password to the database through the
> CGI script. I had a hard time finding good documentation on this scheme;
> psql apparently supports the "-u" option that prompts for a password (and
> I assume you're prompted anyway when you have the "crypt" option set for a
> user/database in pg_dba.conf). But if you look in the source code for
> psql, it seems there are two methods to connect to a database, PQconnectdb
> which does allow for username/password, and PQsetdb, which *does not*.
> This means that someone could theoretically write a PERL module that uses
> the latter method to connect and bypass the password scheme.
No, because the requirement to ocnnect with a password is not made by
libpq (or psql), but by the postmaster. If you have configured your
database to only allow access with username/password, and you do not
supply them, access is refused.
To try this out:
create a user (psql: CREATE USER username WITH PASSWORD mypassword)
stop the postmaster
edit $PGDATA/pg_hba.conf:
make sure that the lines describing access to your databases
have 'password' or 'crypt' at the end of the line (read the
comments in this file)
start the postmaster
try to connect with 'psql database', it'll fail (if you have editted
pg_hba.conf correctly).
try to connect using 'psql -u database'. it'll prompt for a username and
password. give those, and you have access.
Note that you have 2 ways passwords are supported. The best one (in my
opinion) is the one that stores passwords in the table pg_shadow (only
readable by the postgres superuser, other users can only use pg_user,
which is a view on pg_shadow that hides the password field). The other
way is to store passwords in a seperate file. Passwords can be added to
this file with the pg_passwd program). The first method is used by
default, the second if you *explicitly* specify a password file for each
line in pg_hba.conf).
> In anycase, I'm using the Postgres.pm module with PERL, and it doesn't
> seem to support the passing of a username/password pair (correct me if I'm
> wrong) from a CGI script. I'll attempt to code that, unless someone has
> done it already.
>
> Thanks for all your help!
>
> Chris
>
>
> On Sat, 8 Aug 1998, Maarten Boekhold wrote:
>
> > On Sat, 8 Aug 1998, Vadim Mikheev wrote:
> >
> > > Chris Hardie wrote:
> > > >
> > > > The situation: I have one machine with general user access. Some users
> > > > (including myself) own a postgres database. Some users (including myself)
> > > > use postgres as a back-end for CGI applications, using the Postgres.pm
> > > > module for Perl. This requires that user "nobody" (or www, or whomever)
> > > > have read/write access to my database.
> > > >
> > > > The problem: While it's very handy that I can write CGI scripts that can
> > > > read/write my database, it's a security problem. Other users` CGI scripts
> > > > will also make use of the "nobody" identity to access the database, which
> > > > means they can potentially read/write the data in my database if they
> > > > wanted to.
> > > >
> > > > The fix: You tell me. It would seem to involve a "setuid" of sorts for
> > > ^^^^^^
> > > > how the httpd process accesses the postgres database.
> > >
> > > Apache has suexec program ro run user' CGI and SSI under
> > > user' privileges...
> >
> > And you could ofcourse always use password authenication for those
> > databases....
> >
> > Maarten
> >
> > ps. only problem is that those passwords have to be in your perl-script,
> > and that script has to be world-readable, unless you have a system that
> > supports ACL's, then you can set it only readable to user nobody or www
> > or whatever
> >
> > _____________________________________________________________________________
> > | TU Delft, The Netherlands, Faculty of Information Technology and Systems |
> > | Department of Electrical Engineering |
> > | Computer Architecture and Digital Technique section |
> > | M.Boekhold@et.tudelft.nl |
> > -----------------------------------------------------------------------------
> >
>
> ---------------------------------------------
> Chris Hardie chris@summersault.com
> http://www.summersault.com/chris
> vincendum est
> ---------------------------------------------
>
>
>
_____________________________________________________________________________
| TU Delft, The Netherlands, Faculty of Information Technology and Systems |
| Department of Electrical Engineering |
| Computer Architecture and Digital Technique section |
| M.Boekhold@et.tudelft.nl |
-----------------------------------------------------------------------------
В списке pgsql-general по дате отправления: