[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Gnumed-devel] multitaskhttpd experiment
|
From: |
Jim Busser |
|
Subject: |
Re: [Gnumed-devel] multitaskhttpd experiment |
|
Date: |
Thu, 15 Jul 2010 19:48:02 -0700 |
On 2010-07-14, at 8:31 AM, lkcl wrote:
> whilst i realise it would be a lot of work, you really should give serious
> consideration to not using postgresql roles, and doing the RBAC "manually",
> just like it is done in web frameworks. a database table stores
> username/passwords (MD5 hashes, whatever) and all "authentication" is done
> in the form of SQL queries prior to each access to the database.
>
> but... hmmm.... that would mean that you could not guarantee data security,
> wouldn't it? because it would be the app performing the security, with
> total open-access to the database, wouldn't it?
>
> argh....
Typically when a "web app" accesses a database, is the app granted explicit
permissions equal or equivalent to the database owner (e.g. gm-dbo)?
If not explicit, does the app achieve it implicitly (functionally) on account
of playing a pass-through role for all user sessions and credentials? Thereby
presenting a locus of attack and takeover outside the control of the database?
Is that the fundamental security vulnerability i.e. that "control" has been
given away from the database?
-- Jim
Re: [Gnumed-devel] multitaskhttpd experiment, lkcl, 2010/07/14
Re: [Gnumed-devel] multitaskhttpd experiment, lkcl, 2010/07/14