Re: Interesting suid problem

[rsteinke w-link net]

From: Jeff Shipman - SysProg <jeff nmt edu>
>
> Because we have 1500+ users which are added
> every semester and EVERYONE needs to be able
> to read it. There are three different levels
> of access which are determined upon startup
> by which group you are in (nothing special,
> worker, or manager). The access is software
> enforced and what we want is to make it so
> normal users cannot read the password file.
> If they could, they'd be able to just login
> to the DB and issue commands, viewing information
> about other users which they should not
> be able to view.
>
> Jeff Shipman           E-Mail: jeff nmt edu
> Systems Programmer     Phone: (505) 835-5748
> NMIMT Computer Center  http://www.nmt.edu/~jeff

Can't you make the database itself able to enforce user access
to certain databases? I think Postgresql can do this.

> On 21 Feb 2002, Sven Neumann wrote:
>
> } Hi,
> }
> } Jeff Shipman - SysProg <jeff nmt edu> writes:
> }
> } > I have a situation where I am using GTK as
> } > a frontend for a databse we have. Everything
> } > is fine except for the fact that I want to
> } > keep the database password secure. I do
> } > not want to store it in the program for
> } > obvious reasons so I thought I would save
> } > it in an external file and have the program
> } > read it on startup. The only decent way that
> } > I know of to do this have a special user
> } > which can read the file and have the program
> } > setuid to run as that user. However, gtk
> } > doesn't like being run setuid.
> }
> } If you make your GTK+ app run setuid you can as well make the passwd
> } file readable by everyone.  How about making the file readable by
> } members of a special group and add authorized users to that group ?
> }
> }
> } Salut, Sven
> }