Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > comp.lang.python > #39878

Re: PyQT app accessible over network?

Path csiph.com!usenet.pasdenom.info!goblin2!goblin.stu.neva.ru!newsfeed.xs4all.nl!newsfeed4.news.xs4all.nl!xs4all!news.tele.dk!news.tele.dk!small.news.tele.dk!newsgate.cistron.nl!newsgate.news.xs4all.nl!post.news.xs4all.nl!not-for-mail
Return-Path <rosuav@gmail.com>
X-Original-To python-list@python.org
Delivered-To python-list@mail.python.org
X-Spam-Status OK 0.000
X-Spam-Evidence '*H*': 1.00; '*S*': 0.00; 'python,': 0.02; 'model,': 0.05; 'deny': 0.07; 'permissions': 0.07; 'read-only': 0.07; 'suppose': 0.07; 'app,': 0.09; 'itself,': 0.09; 'postgresql,': 0.09; 'received:mail-vb0-f46.google.com': 0.09; 'shortcut': 0.09; 'sure,': 0.09; 'system;': 0.09; 'unexpectedly': 0.09; 'stored': 0.10; 'server,': 0.15; '"just"': 0.16; '"user': 0.16; '(postgresql': 0.16; 'anyway).': 0.16; 'exploits': 0.16; 'finer': 0.16; 'from:addr:rosuav': 0.16; 'from:name:chris angelico': 0.16; 'front-end.': 0.16; 'happily': 0.16; 'no;': 0.16; 'object),': 0.16; 'objects;': 0.16; 'privilege': 0.16; 'relied': 0.16; 'weigh': 0.16; 'mon,': 0.16; 'wrote:': 0.17; 'integer': 0.17; 'typical': 0.17; 'systems.': 0.18; 'received:209.85.212.46': 0.18; 'app': 0.19; 'feb': 0.19; 'permission': 0.20; 'regardless': 0.21; '(usually': 0.22; 'absolute': 0.23; 'flexibility': 0.23; 'header :In-Reply-To:1': 0.25; '(which': 0.26; 'common': 0.26; 'select': 0.26; 'entries': 0.27; 'message-id:@mail.gmail.com': 0.27; 'developing': 0.28; 'received:209.85.212': 0.28; 'chris': 0.28; 'run': 0.28; 'contrast,': 0.29; 'deploy': 0.29; 'forces': 0.29; 'remotely': 0.29; 'table,': 0.29; "i'm": 0.29; 'stuff': 0.30; 'code': 0.31; 'structure': 0.32; 'damage': 0.33; 'to:addr:python- list': 0.33; 'that,': 0.34; 'received:google.com': 0.34; 'project': 0.34; 'wrong': 0.34; 'server': 0.35; 'sequence': 0.35; 'pm,': 0.35; 'table': 0.35; 'subject:?': 0.35; 'similar': 0.35; "won't": 0.35; 'received:209.85': 0.35; 'something': 0.35; 'there': 0.35; 'but': 0.36; 'anything': 0.36; 'being': 0.37; 'received:209': 0.37; 'subject:: ': 0.38; 'files': 0.38; 'supports': 0.38; 'sure': 0.38; 'to:addr:python.org': 0.39; 'apply': 0.39; 'application': 0.40; 'your': 0.60; 'days': 0.60; 'easy': 0.60; 'most': 0.61; 'matter': 0.61; 'different': 0.63; 'success': 0.63; 'ever': 0.63; 'more': 0.63; 'here': 0.65; 'detail.': 0.65; 'treat': 0.65; 'risk': 0.66; 'frank': 0.75; '"serial"': 0.84; '2013': 0.84; 'compromised': 0.84; 'etc,': 0.84; 'everything,': 0.84; 'situations,': 0.84; 'subject:over': 0.84; 'viable': 0.84; 'have.': 0.95
DKIM-Signature v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:x-received:in-reply-to:references:date:message-id :subject:from:to:content-type; bh=LSMxDzqc+gz/B5A8MurhCAgifHCgWAS0wCNOeqcoMRQ=; b=APoIk+ZTSlngXfZd3ReEOLO5WUc4bHD7cEFZSQVJPXUPdbe4SHVw5O2/SgHFB00TBi ljC6KZJnRXrLkci9LI7AOxftUGVmmtsBA+DxgiHbZJVpKE5TRIxRCLJN5247CHf36/wI QXrZMDmtjtqVSOHrEsYzvX440hOgZN+1pEEeOk1KFKX2rrRYfnLZCT3PQrnHlcB+pt/R rJ4qUJnIvkPHDxTh7tkKCEl2thrKkTGlqXy3n2PYMBRxlO8qV5opeBBV/SDJlOkFQfQi /WOaMhW4imJ8ITQWItbWZDbX0C/PNBu/QX3yYujW0FbnTcDP299OyClYRmkltb3MyveR u7yw==
MIME-Version 1.0
X-Received by 10.220.219.77 with SMTP id ht13mr9199463vcb.66.1361774144296; Sun, 24 Feb 2013 22:35:44 -0800 (PST)
In-Reply-To <kgevgi$n8g$1@ger.gmane.org>
References <mailman.2180.1361463791.2939.python-list@python.org> <20130222164513.9377097f0cf2add2a6d16204@gmx.net> <kg87jq$kfd$1@ger.gmane.org> <CAO+9iGdCtzkkp=p5aA96qA9wqz+QDHc8mZTKwqUqpcd1ZUfFuA@mail.gmail.com> <kg8p5a$9en$1@ger.gmane.org> <mailman.2312.1361576247.2939.python-list@python.org> <20130224153134.4cab73a958ac7d1af476ae3d@gmx.net> <CAPTjJmrw7DvmdL3K8GqqYG1aexDWavo_LHZXcVG=hF_zJa2mWw@mail.gmail.com> <kgevgi$n8g$1@ger.gmane.org>
Date Mon, 25 Feb 2013 17:35:44 +1100
Subject Re: PyQT app accessible over network?
From Chris Angelico <rosuav@gmail.com>
To python-list@python.org
Content-Type text/plain; charset=ISO-8859-1
X-BeenThere python-list@python.org
X-Mailman-Version 2.1.15
Precedence list
List-Id General discussion list for the Python programming language <python-list.python.org>
List-Unsubscribe <http://mail.python.org/mailman/options/python-list>, <mailto:python-list-request@python.org?subject=unsubscribe>
List-Archive <http://mail.python.org/pipermail/python-list/>
List-Post <mailto:python-list@python.org>
List-Help <mailto:python-list-request@python.org?subject=help>
List-Subscribe <http://mail.python.org/mailman/listinfo/python-list>, <mailto:python-list-request@python.org?subject=subscribe>
Newsgroups comp.lang.python
Message-ID <mailman.2491.1361774146.2939.python-list@python.org> (permalink)
Lines 56
NNTP-Posting-Host 2001:888:2000:d::a6
X-Trace 1361774146 news.xs4all.nl 6967 [2001:888:2000:d::a6]:59517
X-Complaints-To abuse@xs4all.nl
Xref csiph.com comp.lang.python:39878

Show key headers only | View raw

On Mon, Feb 25, 2013 at 5:14 PM, Frank Millman <frank@chagford.com> wrote:
> On 24/02/2013 16:58, Chris Angelico wrote:
>> MySQL has a philosophical structure of "user logs in to app,
>> but app logs in to database as superuser regardless of user login".
>
> Out of curiosity, is there anything wrong with that approach?
>
> The project I am developing is a business/accounting application, which
> supports multiple database systems - at this stage, PostgreSQL, MS SQL
> Server, and sqlite3.
>
> I use exactly the philosophy you describe above. If I relied on the RDBMS's
> internal security model, I would have to understand and apply each one
> separately.

Fundamentally no; it's a viable approach, as evidenced by the success
of MySQL and the myriad applications that use it in this way. It's a
matter of damage control and flexibility. Suppose your web server were
to be compromised - there are so many exploits these days that can
result in files on the server being unexpectedly read and transmitted
to the attacker. Your database superuser password (or, let's hope,
"just" database admin) is compromised, and with it the entire
database. This also forces you to treat the web application (usually
PHP scripts) as back-end.

In contrast, if you control permissions in the database itself, you
can actually treat the application as the front-end. You can happily
deploy it, exactly as-is, to untrusted systems. Sure, your typical PHP
system won't ever need that, but when you write something in Python,
it's much more plausible that you'd want to run it as a desktop app
and connect remotely to the database. It's flexibility that you may or
may not use, but is still nice to have.

Most RDBMSes have a broadly similar permissions system; at any rate,
no more different than the ancillaries (PostgreSQL has the "SERIAL"
type (which is a shortcut for INTEGER with a default value and an
associated SEQUENCE object), MySQL has AUTO_INCREMENT, etc, etc - if
you're going to support all of them, you either go for the lowest
common denominator, or you have different code here and there anyway).
You control access of different types to different named objects;
reading requires SELECT privilege on all tables/views read from,
editing requires INSERT/UPDATE, etc. For finer control than the table,
just deny all access to the table and grant access to a view. For more
complicated stuff ("edits to this table must have corresponding
entries in the log"), either triggers or stored procedures can do the
job.

It may take a lot of work to get the permissions down to their
absolute minimum, but one easy "half-way house" would be to create a
read-only user - SELECT permission on everything, no other perms. Not
applicable to all situations, but when it is, it's an easy way to
manage the risk of compromise.

I'm sure others can weigh in with a lot more detail.

ChrisA

Back to comp.lang.python | Previous | NextPrevious in thread | Next in thread | Find similar | Unroll thread

Thread

PyQT app accessible over network? Monte Milanuk <memilanuk@gmail.com> - 2013-02-21 08:22 -0800
  Re: PyQT app accessible over network? Wolfgang Keller <feliphil@gmx.net> - 2013-02-22 16:45 +0100
    Re: PyQT app accessible over network? Monte Milanuk <memilanuk@gmail.com> - 2013-02-22 08:50 -0800
      Re: PyQT app accessible over network? Wolfgang Keller <feliphil@gmx.net> - 2013-02-24 15:30 +0100
    Re: PyQT app accessible over network? Alec Taylor <alec.taylor6@gmail.com> - 2013-02-23 03:57 +1100
    Re: PyQT app accessible over network? Monte Milanuk <memilanuk@gmail.com> - 2013-02-22 13:49 -0800
    Re: PyQT app accessible over network? Michael Torrie <torriem@gmail.com> - 2013-02-22 16:37 -0700
      Re: PyQT app accessible over network? Wolfgang Keller <feliphil@gmx.net> - 2013-02-24 15:31 +0100
        Re: PyQT app accessible over network? Chris Angelico <rosuav@gmail.com> - 2013-02-25 01:58 +1100
        Re: PyQT app accessible over network? Frank Millman <frank@chagford.com> - 2013-02-25 08:14 +0200
        Re: PyQT app accessible over network? Chris Angelico <rosuav@gmail.com> - 2013-02-25 17:35 +1100
        Re: PyQT app accessible over network? Frank Millman <frank@chagford.com> - 2013-02-25 10:02 +0200
        Re: PyQT app accessible over network? Dennis Lee Bieber <wlfraed@ix.netcom.com> - 2013-02-25 18:26 -0500
        Re: PyQT app accessible over network? Dennis Lee Bieber <wlfraed@ix.netcom.com> - 2013-02-25 18:32 -0500
        Re: PyQT app accessible over network? Chris Angelico <rosuav@gmail.com> - 2013-02-26 17:26 +1100
    Re: PyQT app accessible over network? Dennis Lee Bieber <wlfraed@ix.netcom.com> - 2013-02-22 19:20 -0500
    Re: PyQT app accessible over network? Chris Angelico <rosuav@gmail.com> - 2013-02-23 11:32 +1100
    Re: PyQT app accessible over network? Alec Taylor <alec.taylor6@gmail.com> - 2013-02-24 20:00 +1100

csiph-web