Set up postgres to only allow connections from the loopback. Put the db credentials in a file, then rely on file-system permissions and/or SElinux to prevent access to that file from other processes on the system. This is the sort of thing SELinux is really designed for.
Matt On 1/31/2015 10:56 AM, Eric Chadbourne wrote: > FWIW, in PHP you often put the PostgreSQL user credentials in the code. > Usually a config file somewhere. You can also place sensitive files outside > of your web root with proper permissions. If all running on a local box I > don’t open the ports or set the db config to allow other connections. It > seems reasonably secure. > > I am curious as to what others do. > > The PostgreSQL docs have a ton of great info. > > - Eric > > > >> On Jan 31, 2015, at 10:28 AM, Kent Borg <[email protected]> wrote: >> >> Related to my previous database questions... >> >> Normally I think of a program as trusting itself, having some integrity, >> maybe not even having gaping bugs or security holes. But what if I the >> program I am writing is talking to another, such as Postgres? Postgres has >> the ability to do passwords, so do I just put a password in my program >> source? Set Postgres to only accept local connections, and hope for the >> best? Seems wrong. Do I try to put both in a chroot or something? >> >> My program already has to hope that its program files are secured by the >> hosting OS, but at least if it isn't opening up a network port it stays a >> rather contained problem. >> >> (I want multiple programs talking to the database, so no, I can't just link >> in Sqlite.) >> >> Seems a general problem of securing interprocess communications. >> >> Thoughts? >> >> Thanks, >> >> -kb, the Kent who knows that people Google for passwords, search github for >> passwords, and get a lot of juicy results. >> _______________________________________________ >> Discuss mailing list >> [email protected] >> http://lists.blu.org/mailman/listinfo/discuss > > _______________________________________________ > Discuss mailing list > [email protected] > http://lists.blu.org/mailman/listinfo/discuss > _______________________________________________ Discuss mailing list [email protected] http://lists.blu.org/mailman/listinfo/discuss
