On Fri, Jun 09, 2017 at 21:14:15 -0700, Ken Tanzer <ken.tanzer@xxxxxxxxx> wrote:
On Fri, Jun 9, 2017 at 5:38 PM, Bruno Wolff III <bruno@xxxxxxxx> wrote: Seems to me they are separate issues. App currently has access to the password for accessing the DB. (Though I could change that to ident access and skip the password.) App 1) connects to the DB, 2) authenticates the user (within the app), then 3) proceeds to process input, query the DB, produce output. If step 2A becomes irrevocably changing to a site-specific role, then at least I know that everything that happens within 3 can't cross the limitations of per-site access. If someone can steal my password or break into my backend, that's a whole separate problem that already exists both now and in this new scenario.
In situations where a person has enough access to the app (e.g. it is a binary running on their desktop) to do spurious role changes, they likely have enough acces to hijack the database connection before privileges are dropped.
-- Sent via pgsql-general mailing list (pgsql-general@xxxxxxxxxxxxxx) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-general
