Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update userbase of the database and associated role permissions #3

Open
carlosparadis opened this issue Sep 23, 2017 · 3 comments
Open

Update userbase of the database and associated role permissions #3

carlosparadis opened this issue Sep 23, 2017 · 3 comments
Assignees
@carlosparadis @ryantanaka
Labels
prio:low type: settings

Comments

@carlosparadis
Copy link
Member

Needs to clean a large list of inactive users and adjust necessary permission levels.

Relevant links:
@carlosparadis carlosparadis self-assigned this Sep 23, 2017
@carlosparadis
Copy link
Member Author

carlosparadis commented Oct 3, 2017
edited
Loading

As a reference, webuser is used both by survey_admin , survey_display and scrape-util.

@ryantanaka
Copy link

ryantanaka commented Oct 4, 2017
edited
Loading

regarding scrape-util:

The program connects to the database using this line.

with psql.connect(database=db) as con:, where the values username and password are omitted.

scrape-util is using 'psycopg2' and the documentation states that it is a wrapper for 'libpq'.

libpq has a specified behavior for when connection parameters are omitted as stated in the docs:

dbname
The database name. Defaults to be the same as the user name. In certain contexts, the value is checked for extended formats; see Section 32.1.1 for more details on those.
user
PostgreSQL user name to connect as. Defaults to be the same as the operating system name of the user running the application.

So, the next question is "What user is running scrape-util?" The answer to this will tell us what user is being used by scrape-util when connecting to the database.

A link to the scrape-util program is located in /etc/cron.hourly/scrape-util. Because the link to the script was just dropped into this folder, scrape-util gets run as root. In order to confirm this, I checked all processes running on the server at 12:17.

scrape_process

The first column specifies the user id and the last column specifies the command. Scrape-util is being run by root, and consequently the postgres database is using the same account..

Moving forward, we need to be able to run cron jobs on the user level because this problem exposes normal users to root user privileges. Additionally, we need to know what are the best practices are for using cron jobs. This will be further investigated here

@carlosparadis
Copy link
Member Author

I take a final look over this when the dust settles down and update this comment and/or close the issue. Thanks!

@ryantanaka ryantanaka mentioned this issue Oct 20, 2017
Open
@ryantanaka ryantanaka self-assigned this Oct 26, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@carlosparadis carlosparadis

@ryantanaka ryantanaka

Labels
prio:low type: settings
Milestone
No milestone
Development

No branches or pull requests
2 participants
@carlosparadis @ryantanaka