Paypal and "going root"

Kenneth Downs <ken@secdat.com>

From: Kenneth Downs <ken@secdat.com>
To: pgsql general <pgsql-general@postgresql.org>
Date: 2007-05-17T13:45:18Z
Lists: pgsql-general
I am seeking to have a system in which it is never necessary for 
application code to "go root" w/respect to the database server, where 
all commands issued to a server are as a regular logged in user with 
their privileges.

There are two holes I know of here.  Thanks to Tom I've got the answer 
to the first one: which is creating users.  We will implement stored 
procedures that create users and grant privileges, and then grant 
execute privileges to these stored procedures.  This means we don't have 
to "go root" to grant membership in groups.

The last one left that I have is the sticky issue of a paypal IPN 
transaction coming in.  I believe it applies generally to financial 
transactions.  The user is sent by our application to the Paypal site.  
When they pay, paypal sends a POST with various information that we 
need.  The user does not see this, it is behind the scenes.  The POST 
request must run as an anonymous user because I have no state 
whatsoever.  But the request must also commit financial data.  This 
creates a vulnerability, at least in theory.  There are fields contained 
in the transaction meant to allow confirmation and prevent fraud, but I 
just don't like that idea of running anonymously and committing 
financial data.

In this case it seems creating a stored procedure will not automatically 
help, as then we just execute the SP anonymously, and it strikes me as 
no different.

Has anybody pondered this and come up with anything?

-- 
Kenneth Downs
Secure Data Software, Inc.
www.secdat.com    www.andromeda-project.org
631-689-7200   Fax: 631-689-0527
cell: 631-379-0010