Monday, June 21, 2010

Re: PostgreSQL backend - Ident authentication failed?

On 21 June 2010 20:16, Kenneth Gonsalves <lawgon@au-kbc.org> wrote:
> On Monday 21 June 2010 15:37:50 Sam Lai wrote:
>> >> You do bring up a interesting point though, and I don't know much
>> >> about the architecture of Apache and how holes are exploited when they
>> >> exist, but if the trespasser can execute arbitary code as www-data,
>> >> wouldn't they have access to settings.py anyway?
>> >
>> > and just to add to your worries, assuming that you have debug on in your
>> > production system, somewhere deep down in the traceback, you may see your
>> > database username and password! As for the apache question there are
>> > experts in this list who can anwer them.
>>
>> Thanks for mocking what was and still is a serious point.
>>
>
> I am sorry if you feel I was mocking - it was not my intention. And the point
> you were bringing up about Apache is a vast subject and I am not competent to
> answer it. As for the debug thing, it is just a warning not to run debug in
> production.

Ah I must've interpreted it incorrectly, I apologise. I'm definitely
no expert on *nix and Apache security, so I'd appreciate it if anyone
could clarify as well.

From the PGSQL docs [1],
"On systems supporting SO_PEERCRED requests for Unix-domain sockets
(currently Linux, FreeBSD, NetBSD, OpenBSD, BSD/OS, and Solaris),
ident authentication can also be applied to local connections. In this
case, no security risk is added by using ident authentication; indeed
it is a preferable choice for local connections on such systems."

http://www.postgresql.org/docs/current/static/auth-methods.html

So it seems the postgresql people think it is ok, but I'm not sure
once you add in Apache and things like Django on top of it.

> --
> Regards
> Kenneth Gonsalves
> Senior Associate
> NRC-FOSS at AU-KBC
>
> --
> You received this message because you are subscribed to the Google Groups "Django users" group.
> To post to this group, send email to django-users@googlegroups.com.
> To unsubscribe from this group, send email to django-users+unsubscribe@googlegroups.com.
> For more options, visit this group at http://groups.google.com/group/django-users?hl=en.
>
>

--
You received this message because you are subscribed to the Google Groups "Django users" group.
To post to this group, send email to django-users@googlegroups.com.
To unsubscribe from this group, send email to django-users+unsubscribe@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/django-users?hl=en.

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)