Does insert only db access offer any additional security
The short answer is "Yes", it does offer some additional security as you make it more difficult for an attacker to gain the information these outside users are entering.
The long answer is that a focused attacker could:
- use the compromised web nodes to hijack your outside users towards his server or inject malware, likely with little difference to be noted in the web interface as he has access to your page sources
- use the compromised web nodes to capture future data that is entered by outside users and forward this data to his servers for capture, thereby over time replicating parts of your database
- traverse from the web node to the internal network over time, for example through new security holes found in the database interface or any other interface you expose to the web nodes
Absolutely! However, the terminology would be an insert-only user. You would still use the same DB.
Most database servers have a concept of access control internally, which is independent of the OS access control.
Basically, the insert only user would only have INSERT
privilege, and then only for the particular tables it should insert into.
This would limit the scope of SQLi attacks quite a bit.
See: What are the security benefits to a separate user database?