search

erdl / database

Data model template for previous and current projects, and issues associated to the server database.
0 stars 1 forks source link

Update userbase of the database and associated role permissions #3

Open carlosparadis opened 7 years ago

carlosparadis commented 7 years ago

Needs to clean a large list of inactive users and adjust necessary permission levels.

Relevant links:

carlosparadis commented 7 years ago

As a reference, webuser is used both by survey_admin , survey_display and scrape-util.

ryantanaka commented 7 years ago

regarding scrape-util:

The program connects to the database using this line.

with psql.connect(database=db) as con:, where the values username and password are omitted.

scrape-util is using 'psycopg2' and the documentation states that it is a wrapper for 'libpq'.

libpq has a specified behavior for when connection parameters are omitted as stated in the docs:

dbname The database name. Defaults to be the same as the user name. In certain contexts, the value is checked for extended formats; see Section 32.1.1 for more details on those. user PostgreSQL user name to connect as. Defaults to be the same as the operating system name of the user running the application.

So, the next question is "What user is running scrape-util?" The answer to this will tell us what user is being used by scrape-util when connecting to the database.

A link to the scrape-util program is located in /etc/cron.hourly/scrape-util. Because the link to the script was just dropped into this folder, scrape-util gets run as root. In order to confirm this, I checked all processes running on the server at 12:17.

scrape_process

The first column specifies the user id and the last column specifies the command. Scrape-util is being run by root, and consequently the postgres database is using the same account..

Moving forward, we need to be able to run cron jobs on the user level because this problem exposes normal users to root user privileges. Additionally, we need to know what are the best practices are for using cron jobs. This will be further investigated here

carlosparadis commented 7 years ago

I take a final look over this when the dust settles down and update this comment and/or close the issue. Thanks!