Postgres Pro
Downloads
Home   >   mailing lists

Thread: securing an information system

securing an information system

From
"BARTKO, Zoltán"
Date:
Hello folks,

Problem:

I would need some help with the system I am working on. It is an
information system built on PgSQL 8 and after searching all over the
net I found no function I could use to determine where the request to
the DB (select...) came from. I need it to prevent using fake user ID
numbers.

Premises:

All clients connect to the server via a single DB user. The users do
not know the passwords of each other, but they may know each other's
ID numbers. Any action in the system is carried out via access
functions implemented as stored procedures on the DB and the tables
are only accessible to select data, nothing more.

Possible exploit:

There are 2 users, A and B. B knows A's ID, while B is logged in, he
connects to the DB via psql and sends an API call identifying himself
as B. The system will accept it, because the origin of the request is
not known.

Question:

is there any way how to find out on the server where the client
request came from? If there was, I could ensure that one user connects
only via 1 IP address. Or is this a wrong approach? Should I better
use some key located at the computer of the user only visible to him
that would be sent everytime the client requests action from the
server via a secure connection?

Please enlighten me. Thanks in advance.

Zoltan

____________________________________
Najdi svojich spoluziakov!
http://www.spoluziak.sk

Re: securing an information system

From
Bruno Wolff III
Date:
On Fri, May 20, 2005 at 08:40:26 +0200,
  "BARTKO, Zoltán" <bartko.zoltan@pobox.sk> wrote:
> Hello folks,
>
> Problem:
>
> I would need some help with the system I am working on. It is an
> information system built on PgSQL 8 and after searching all over the
> net I found no function I could use to determine where the request to
> the DB (select...) came from. I need it to prevent using fake user ID
> numbers.

The 8.1 TODO indicates such information will be saved. I don't know if
there will be a predfined function to retrieve the information, but if
not you will be able to write your own in C.

> Premises:
>
> All clients connect to the server via a single DB user. The users do
> not know the passwords of each other, but they may know each other's
> ID numbers. Any action in the system is carried out via access
> functions implemented as stored procedures on the DB and the tables
> are only accessible to select data, nothing more.

My suggestion would be to have everyone use their own username. You
are effectively maintaining this information anyway, so I wouldn't
expect it to be much harder to maintain normal postgres users instead
of or in addition to your current ids.