On Sun, 9 Apr 2000, Binand Raj S. wrote:
> I don't even understand what you are trying to say here. Apache runs as
> nobody:nobody by default,
> and that is enough for me. If it has to access a postgres database, all I
> will do is to edit /etc/group to put
> nobody in the postgres group, and make all relevant files group-writable. I
> will still ask for
> passwords, though.
Hey!
Either I am missing something or you haven'y got me.
See, if I add the user nobody to the database, then ALL users will be able
to have access to the database.
Now, if I have two sets of people, one with database access and the other
without, the ones who should not have access to the database can still
have access by writing scripts/programs and run them through the
web-server as user nobody. What do I do in this case?
(The point here is, if nobody { the user } is allowed database access,
then the script/program can have access to it without password. Even if
there are passwords, they have to be hard-coded into the
script/program/config-files. Here, I an NOT talking about the
user-authentcation passwords but the database password)
If the password is stored somewhere in A's account, I (B), can write a
script, run it through a web-server and get the contents mailed/copied to
some other place (assuming that B doesn't have permission to directly view
the file, but "nobody" has ;-)
> I will still have to add the user nobody to postgres. :-)
True. but I was saying, maybe, another user "webdb" can be added, and the
other server be run as that!
> Even with apache, there is absolutely no need for cleartext passwords. Do
.....
> /etc/shadow, or even more complex stuff like MD5 or Kerberos. It can even
> print ERR for everything. :-)
Arre .. I was talking about database authentication.
And web-based authentication (extra precaution) for those who should have
access to the database through the web.
regards,
jaju
-----------------------------------------------------------------------
For information on this and other Linux India mailing lists check out
http://lists.linux-india.org/
