[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Database security

To: uu@total-knowledge.com
Subject: Re: Database security
From: "Alexey Parshin" <alexeyp@gmail.com>
Date: Sun, 18 Feb 2007 09:30:17 +1100
Delivered-to: mailing list uu@total-knowledge.com
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:references; b=Hp3n4J+Uq0JL1v1eDD0DoUn83AAW34kVP85eIJw86ZJZfo1pUDX0h07e4N9gJ6pQ5/jnZ0duS2SINfIgEhBdHI2ktfx3yv4gaonE+JZiuD2pwg+2flJITWTVK3OeMq7gj8DkypKKQ0uW4HpiGDQ9ZRLwc/GlVBI3W0nVKEc1H4M=
In-reply-to: <45D78187.8080006@total-knowledge.com>
Mailing-list: contact uu-help@total-knowledge.com; run by ezmlm
References: <a75bc3cf0702171414k32ac8a54o9c7c65276fe3c1b0@mail.gmail.com> <45D78187.8080006@total-knowledge.com>

YES!!

2007/2/18, Ilya A. Volynets-Evenbakh <ilya@total-knowledge.com>:

OK. I didn't know there are "setuid" procedures. This really changes
whole picture. If that's possible, we should go your way.

I think, as far as access checker, it should be something like
bool is_authorized(object_type, object_id, access_type)

Reason: we have more access types, then just read/write, and
they are all defined in more or less generic way, according to
the spec.

Alexey Parshin wrote:
> Gentlemen,
>
> Since we are implementing a database that may be used in commercial
> app, the security of the database is really important.
> 1) One day or another, someone would try to hack into the database
> directly, around our application. We should be prepared to it.
> 2) The database should enforce security to guarantee it, not just
> suggest it.
> 3) The nature of our permissions doesn't allow to use database
> permissions to handle access of different users to parts of the tables
> - we need stored procs to achieve it.
>
> So, my idea was to allow users to select from any table and to allow
> any modification to be done only through stored procs.
> It's currently implemented in SVN as the following:
> 1) Every table is granted access as:
> GRANT SELECT ON <table name> TO PUBLIC;
> 2) Every stored procedure is defined as SECURITY DEFINER. Such stored
> procs are executed with the permissions of their creator (superuser,
> in our case)
>
> In order to maintain the security, we need user ID defined within the
> session. Postgres doesn't have any support for session variables
> (other then engine parameters), or I couldn't find it.
> Instead, we can use temporary tables to implement the equivalent to
> session variables. In order to prevent regular user from dropping
> temporary table with session parameters, we revoke the right to create
> a temp table from PUBLIC.
> I provided (in SVN) file login.sql that creates a session_info table
> with user_id. It isn't a real login procedure yet - it just tests the
> concept. After we have user id in such temp table, and can guarantee
> users can't (re)create or change it - we can use user id in the
> security checks.
>
> A typical security check should happen at the start of every object
> modification an be something like:
>
> if can_modify("topic",topic_id) = false then
> RAISE EXCEPTION('You can't modify this topic');
> end if
>
> The actual prototype of 'can_modify' should be discussed. It could be
> a set of 'can_update', 'can_delete', etc, or it could be
> can_modify(object type,object id,access level);
>
> --
> Alexey Parshin,
> http://www.sptk.net

--
Ilya A. Volynets-Evenbakh
Total Knowledge. CTO
http://www.total-knowledge.com

--
Alexey Parshin,
http://www.sptk.net

References:
- Database security
  - From: "Alexey Parshin" <alexeyp@gmail.com>
- Re: Database security
  - From: "Ilya A. Volynets-Evenbakh" <ilya@total-knowledge.com>

Prev by Date: Re: Database security
Next by Date: Version support for topic_list
Previous by thread: Re: Database security
Next by thread: Version support for topic_list
Index(es):
- Date
- Thread

UniverseUniversity

uu

Re: Database security