Do you see flaws in this design that I'm missing?
You're assuming that any compromise of the CGI script only applies to a single user and a single invocation of the script.
If the Evil Hacker can run arbitrary code then this may not be true. For example the compromised script could spin off another process that sits their doing a dictionary attack on your database, badly set permissions could allow the script to rewrite itself, etc.
In some ways a mod_perl server would be more secure. Set it up to only service a single request per-process. You still save on startup time, forks are cheap (definately cheaper than starting up a separate CGI process and loading all the modules needed), and a compromised service would have to restart Apache to affect future requests.
That said, it seems odd to me to be worrying about the database access in this way.
If it were me, and my requirements had me worrying about the possibility of a buggy CGI/mod_perl being compromised, then there is no way in heck I would have direct access to the database on the same box as the W3 server.
You don't need all the database functionality, the Evil Hacker can use it to gain information that you don't need/want to reveal, and you open yourself up to possible security holes in the database layer.
I'd have my W3 server talking to a separate applications server on another box using a very thin application specific protocol that only supplied just enough functionality for the W3 application to do what it needs to do. You hide most database-specific exploits away on the other box, and have something that you can apply fine grained security controls too.
In reply to Re^5: Secure way to pass database connection info from mod_perl handler to CGI script
by adrianh
in thread Secure way to pass database connection info from mod_perl handler to CGI script
by sgifford
| For: | Use: | ||
| & | & | ||
| < | < | ||
| > | > | ||
| [ | [ | ||
| ] | ] |