Postgres、Django 和通用网络服务器身份验证安全(pg_hba.conf 等)
我正在尝试根据最佳实践和一般安全性来设置我的网络服务器,并且一直在尽可能多地阅读。
我的服务器正在运行 nginx & uwsgi 均已设置为以各自的用户“nginx”和“uwsgi”运行 - 两个用户均已设置为无登录、无密码。
我的所有应用程序/项目文件夹都以我自己的(非 root)用户名和“开发人员”组为 chown'ed。它们被 chmod 为对所有人只读。
第一个问题)
我的理解是这是一个很好的做法,因为服务器(uwsgi/nginx)没有对这些文件的写访问权限?
第二个问题)
我的 postgres pg_hba.conf 是:
local all postgres ident sameuser
local appdb appusername password
其中 appdb & appusername 已通过 pgsql 设置为特定应用程序
这是否意味着 (unix) 用户 'postgres' 只能在获得 ident/unix 授权后才能在本地登录?
此外,这是否意味着对数据库“dbname”的唯一访问是通过(psql)用户“dbuser”使用正确的密码
**最后部分**
如果我的服务器(uwsgi)技术上具有对我的django设置文件的读取访问权限(其中包含我的数据库详细信息,包括密码和 psql 用户名),这不是安全风险吗?
欢迎任何澄清!
I'm trying to set up my web server with best practices and general security in mind and have been reading up on as much as I can.
My server is running nginx & uwsgi which have both been set up to run to run as their respective users 'nginx' and 'uwsgi' - both users have been set up as no-login, no-password.
All my application/project folders are chown'ed under my own (non-root) user name and the group 'developers'. They are chmod'ed as read only to everyone.
1st Question)
My understanding is that this is good practice because the servers (uwsgi/nginx) have no write access to these files?
2nd Question)
My postgres pg_hba.conf is:
local all postgres ident sameuser
local appdb appusername password
where appdb & appusername have been setup through pgsql for a particular app
Does this mean that the (unix) user 'postgres' can only login locally when authorized by ident/unix?
Furthermore does it mean that the only access to the database 'dbname' is through the (psql) user 'dbuser' with the correct password
** Final Part **
If my server (uwsgi) technically has read access to my django settings file (which has my database details including password and psql username), is this not a security risk?
Any clarifications would be welcome!
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
是的,这是一种很好的做法(尽管对于 Web 应用程序来说很少见),因为服务器无需对不需要的文件进行读写访问。
是的,这意味着由 postgres 操作系统用户运行的任何进程都可以作为 postgres 数据库用户访问任何数据库。它是由 ident 强制执行的,但不是不安全和不可靠的网络 ident,而是本地、安全和可靠的 SO_PEERCRED。
我还建议服务不要通过密码连接,而是通过本地身份连接——如果攻击者以某种方式获得使用保存的密码读取设置文件的权限(例如从备份、不安全传输等),那么它就可以对数据库执行任何操作。使用 ident,它必须能够以特定用户身份运行代码,这要困难得多。
一切都是安全风险。安全性是管理这种风险的一门艺术——管理安全与便利之间的平衡。如果您可以将服务器配置为不需要访问此文件,并且它不会太不切实际(例如重新启动时需要手动干预),那么就去做吧。也许这种“ident”身份验证会更好。
Yes it is a good (although rare for web applications) practice for servers to not have write or read access to files it does not have to.
Yes it means that any process, which is run by postgres OS user, can access any database as postgres database user. And it is enforced by ident, but not insecure and unreliable network ident but local, secure and reliable SO_PEERCRED.
I'd also recommend that services connect not by password but by local ident — if attacker gains somehow read privilege to settings file (for example from backups, insecure transfer etc.) with saved password then it can do anything to database. With ident it has to be able to run code as particular user, which is much harder.
Everything is a security risk. Security is an art of managing this risk — managing balance between secure and convenient. If you can configure your server that it does not need access to this files and it would not be overly impractical (for example needs manual intervention on reboot) then go for it. Maybe this "ident" authentication would be better.