user authorization (with one time login) in a Python desktop application ?

Steven D'Aprano steve at REMOVE-THIS-cybersource.com.au
Sun Sep 27 11:42:55 EDT 2009 

On Sun, 27 Sep 2009 16:11:52 +0200, Stef Mientki wrote:

> hello,
> 
> I've a Python desktop application, running under Widows, that stores the
> data in a central SQLite database.
> 
> Depending on the user login on the system, some of the data from the
> database is allowed and other data is forbidden.
> 
> I can read the current logged in user. The authorization for each user
> is stored encrypted in the database. The program is delivered as pyc
> files, but from what I read, these can easily be reversed engineered.

What does that have to do with anything? You're not storing the user's 
password in the source code are you?


> There is even an encrypted version of SQLite (not freeware), but as long
> as test the authorization in Python, it doesn't seem to be a good
> protection.

What exactly are you doing to authenticate the user?


> So at first thought, a better way might be the following process: -
> encrypt the whole database

What is your threat model? What are you trying to protect against?

If your threat model is that desktop users will sneak into the server 
room while the boss is away, boot the server in single-user mode, and 
then use a disk utility to inspect the raw bytes on disk to read the data 
in the database (or that the government will swoop in and seize your 
computer and do the same), then encrypting the entire database may be a 
good idea. 

(But if your threat model is the government, then what are you going to 
do when they arrest you and demand you hand over the encryption keys?)

But if your threat model is that Fred will guess Barney's password, then 
encrypting the entire database is a waste of time. All it does is make 
your job harder, and the application slower, and it accomplishes nothing 
to stop Fred guessing the password.

Rather than trying to invent your own scheme for authentication, I 
suggest you see how your database handles it. Chances are this is already 
a solved problem. If SQLite doesn't handle authentication, there are 
plenty of "real" databases that do.


> - run all queries through a DLL written in C or Delphi, where also the
> authorization is checked
> 
> But on second thought that isn't true. The login on the computer is
> assumed to be enough (1-time login). So the Python program passes the
> username to the external DLL. And there's the weak point again,
> the username of every person in our organization is known to every one.


If you can't trust the users not to swap usernames and passwords, you 
can't stop users from logging in as somebody else. Writing your 
application in C or Delphi can't prevent that. (I suppose you could use 
biometrics, but then what's to stop Fred calling Barney and getting him 
to put his thumb on the thumbprint reader?)

You need to think carefully about what threat you are defending against. 
Who is the enemy? Who can you trust? What *exactly* are you trying to 
stop them from doing?


> So it shouldn't be too difficult to modify the program, so it will
> always use the external DLL with the username with the highest
> authorization.
> 
> So the question remains:
> Is it possible to create a Python Desktop application, with user
> authorization, based on the login of the user ?

Are you trying to integrate that with the user's Windows login? That will 
probably be hard.



-- 
Steven

More information about the Python-list mailing list