Path: csiph.com!usenet.pasdenom.info!news.albasani.net!newsfeed.freenet.ag!news2.euro.net!newsgate.cistron.nl!newsgate.news.xs4all.nl!post.news.xs4all.nl!not-for-mail
Return-Path: <rosuav@gmail.com>
X-Original-To: python-list@python.org
Delivered-To: python-list@mail.python.org
X-Spam-Status: OK 0.016
X-Spam-Evidence: '*H*': 0.97; '*S*': 0.00; 'mysql,': 0.07; 'permissions': 0.07; 'php.': 0.07; 'postgresql': 0.07; 'read- only': 0.07; 'counting': 0.09; 'credentials,': 0.09; "wouldn't": 0.11; 'entries.': 0.16; 'from:addr:rosuav': 0.16; 'from:name:chris angelico': 0.16; 'levels,': 0.16; 'tables,': 0.16; 'mon,': 0.16; 'wrote:': 0.17; 'feb': 0.19; '(not': 0.20; 'permission': 0.20; 'lets': 0.22; "i'd": 0.22; 'absolute': 0.23; 'originally': 0.23; 'tables': 0.23; 'thus': 0.24; 'header:In-Reply-To:1': 0.25; 'select': 0.26; 'am,': 0.27; 'separate': 0.27; 'message- id:@mail.gmail.com': 0.27; 'chris': 0.28; 'fine': 0.28; 'table,': 0.29; 'connection': 0.30; 'to:addr:python-list': 0.33; 'received:google.com': 0.34; 'done': 0.34; 'moved': 0.35; 'table': 0.35; 'subject:?': 0.35; 'received:209.85': 0.35; 'really': 0.36; 'but': 0.36; 'received:209': 0.37; 'subject:: ': 0.38; 'some': 0.38; 'page': 0.38; 'to:addr:python.org': 0.39; 'skip:" 10': 0.40; 'think': 0.40; 'easy': 0.60; '26,': 0.65; 'risk': 0.66; 'account': 0.67; 'power': 0.74; 'gain': 0.79; 'site:': 0.84; '2013': 0.84; 'everything,': 0.84; 'situations,': 0.84; 'subject:over': 0.84; 'we?': 0.84; 'dennis': 0.91; 'divided': 0.93
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:x-received:in-reply-to:references:date:message-id :subject:from:to:content-type; bh=3gC62+o8AnJ9ssEUYkgKqsn4MaB8XP0OWL7Zi23MNIk=; b=io8W21Zk91ZWulsEc6FvL1XCy9WWXNBhpRx4ov1VSlwsO59LXx+sw7yBId96HXeGZx +YJ7nd5sqC1IYPe7wKGvv0N4kuef7C+cWqYBgJA4ZCyd7+iEoESfeQI2V5AOAYlWy0QQ AAjtIMLQaG28rxPMAOa4EGqPluiicGYUsUg8vlpBuHHAFIaCji2m+hLCbCIDmVPG8v7P KKBtGyzSWJbHCi9rhdNd+6AzOoitPaO5iTLXhP1foZZSgJMXwTflUel86kvxGjND0RWH vNKQheQZIE9XyMBn1evsmwFeTHWm+kG44VSVH9MjtuIqx5V/bh4eT+IZF/kCkp+KzHs2 SSVQ==
MIME-Version: 1.0
X-Received: by 10.68.194.37 with SMTP id ht5mr21469907pbc.194.1361860008184; Mon, 25 Feb 2013 22:26:48 -0800 (PST)
In-Reply-To: <hgsni8dcjo7ahk7gho028nq744au7iaghu@invalid.netcom.com>
References: <20130222164513.9377097f0cf2add2a6d16204@gmx.net> <kg87jq$kfd$1@ger.gmane.org> <CAO+9iGdCtzkkp=p5aA96qA9wqz+QDHc8mZTKwqUqpcd1ZUfFuA@mail.gmail.com> <kg8p5a$9en$1@ger.gmane.org> <mailman.2312.1361576247.2939.python-list@python.org> <20130224153134.4cab73a958ac7d1af476ae3d@gmx.net> <CAPTjJmrw7DvmdL3K8GqqYG1aexDWavo_LHZXcVG=hF_zJa2mWw@mail.gmail.com> <kgevgi$n8g$1@ger.gmane.org> <CAPTjJmr-XN0yuqyraYYs1X19k=Yo5JvVq1sGPWgqMFJntZg+sA@mail.gmail.com> <hgsni8dcjo7ahk7gho028nq744au7iaghu@invalid.netcom.com>
Date: Tue, 26 Feb 2013 17:26:48 +1100
Subject: Re: PyQT app accessible over network?
From: Chris Angelico <rosuav@gmail.com>
To: python-list@python.org
Content-Type: text/plain; charset=ISO-8859-1
X-BeenThere: python-list@python.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: General discussion list for the Python programming language <python-list.python.org>
List-Unsubscribe: <http://mail.python.org/mailman/options/python-list>, <mailto:python-list-request@python.org?subject=unsubscribe>
List-Archive: <http://mail.python.org/pipermail/python-list/>
List-Post: <mailto:python-list@python.org>
List-Help: <mailto:python-list-request@python.org?subject=help>
List-Subscribe: <http://mail.python.org/mailman/listinfo/python-list>, <mailto:python-list-request@python.org?subject=subscribe>
Newsgroups: comp.lang.python
Message-ID: <mailman.2535.1361860012.2939.python-list@python.org>
Lines: 29
NNTP-Posting-Host: 2001:888:2000:d::a6
X-Trace: 1361860012 news.xs4all.nl 6859 [2001:888:2000:d::a6]:44474
X-Complaints-To: abuse@xs4all.nl
Xref: csiph.com comp.lang.python:39934

On Tue, Feb 26, 2013 at 10:26 AM, Dennis Lee Bieber
<wlfraed@ix.netcom.com> wrote:
> On Mon, 25 Feb 2013 17:35:44 +1100, Chris Angelico <rosuav@gmail.com>
> declaimed the following in gmane.comp.python.general:
>> It may take a lot of work to get the permissions down to their
>> absolute minimum, but one easy "half-way house" would be to create a
>> read-only user - SELECT permission on everything, no other perms. Not
>> applicable to all situations, but when it is, it's an easy way to
>> manage the risk of compromise.
>>
>         I think I'd recommend that even this read permission be limited to
> the tables required by the application... Wouldn't want someone to
> "accidentally" read the database user account tables, would we?

Of course; once you have the concept of divided access levels, you can
take it whereever you like. But some systems don't even HAVE "database
user account tables" as such; look at this site:

http://rosuav.com/1/

That's an old PHP-based site of mine, originally done in MySQL, now
using PostgreSQL but not as yet moved off PHP. In index.php, the
database connection has read-only access; there's a separate page that
lets me log in using higher database credentials, and thus gain the
power to add/edit entries. It's fine for the read-only user to have
access to every table, because there's really only one table (not
counting statistics).

ChrisA