[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Gnumed-devel] multitaskhttpd experiment

From: Jim Busser
Subject: Re: [Gnumed-devel] multitaskhttpd experiment
Date: Thu, 15 Jul 2010 19:48:02 -0700

On 2010-07-14, at 8:31 AM, lkcl wrote:

> whilst i realise it would be a lot of work, you really should give serious
> consideration to not using postgresql roles, and doing the RBAC "manually",
> just like it is done in web frameworks.  a database table stores
> username/passwords (MD5 hashes, whatever) and all "authentication" is done
> in the form of SQL queries prior to each access to the database.
> but... hmmm.... that would mean that you could not guarantee data security,
> wouldn't it?  because it would be the app performing the security, with
> total open-access to the database, wouldn't it?
> argh....

Typically when a "web app" accesses a database, is the app granted explicit 
permissions equal or equivalent to the database owner (e.g. gm-dbo)?

If not explicit, does the app achieve it implicitly (functionally) on account 
of playing a pass-through role for all user sessions and credentials? Thereby 
presenting a locus of attack and takeover outside the control of the database? 
Is that the fundamental security vulnerability i.e. that "control" has been 
given away from the database?

-- Jim

reply via email to

[Prev in Thread] Current Thread [Next in Thread]