Re: [GENERAL] Postgres CGI Security Problem

Vadim Mikheev <vadim@krs.ru>

From: Vadim Mikheev <vadim@krs.ru>
To: Chris Hardie <chris@summersault.com>
Cc: pgsql-general@postgreSQL.org
Date: 1998-08-08T08:18:24Z
Lists: pgsql-general
Chris Hardie wrote:
> 
> The situation: I have one machine with general user access.  Some users
> (including myself) own a postgres database.  Some users (including myself)
> use postgres as a back-end for CGI applications, using the Postgres.pm
> module for Perl. This requires that user "nobody" (or www, or whomever)
> have read/write access to my database.
> 
> The problem: While it's very handy that I can write CGI scripts that can
> read/write my database, it's a security problem.  Other users` CGI scripts
> will also make use of the "nobody" identity to access the database, which
> means they can potentially read/write the data in my database if they
> wanted to.
> 
> The fix: You tell me.  It would seem to involve a "setuid" of sorts for
                                                     ^^^^^^
> how the httpd process accesses the postgres database.

Apache has suexec program ro run user' CGI and SSI under
user' privileges...

Vadim