|
|
Posted by Kenneth Downs on 07/01/05 05:29
Google Mike wrote:
> <snip>
>> 3. The template app comes with either MySQL and equivalent PostgreSQL
>> tables for users, groups, and members (group memberships). It contains
>> the most basic things one would think of using. It also uses shadow
>> passwords, rather than real passwords, in the users table.
>
> Done. Though actually we use db security, not *nix security....
>
> ...
>> 4. The install creates a new local Linux account that will be used by
>> the PHP pages to authenticate to the database, along with password. It
>> prompts you for the password and recommends that you change this every
>> so many days.
>
> Again, security is tied to a database, at least in my world.
> - Kenneth Downs
> </snip>
>
> Uh, yeah, you are right. I do prefer DB security -- no sense giving
> people an account to login to the server that way. So the users and
> groups thing -- that's in the tables in the db.
>
> However, that aside, the PHP pages have to have something to pass to
> pg_connect(), and often big corporations don't like the db account of
> "root" or "postgres" to use that. So, instead, one has to create an
> account (often this account is named something similar to the app name)
> in the database.
Which is as it should be. The database is full of groups that have certain
security rights, and you make a person real by creating their account and
putting them into their groups.
The anti-technique of having all connections going through a bogus account
leads to no end of trouble, not the least of which is the complete lack of
ability to use real server-side security, and the horrible dangers
associated with the fact that this bogus account must carry the highest
possible priveleges.
--
Kenneth Downs
Secure Data Software, Inc.
(Ken)nneth@(Sec)ure(Dat)a(.com)
Navigation:
[Reply to this message]
|