pg_shadow / pg_user
| От | Rudi |
|---|---|
| Тема | pg_shadow / pg_user |
| Дата | |
| Msg-id | 000801c1af79$f270d8f0$0c00a8c0@sun обсуждение исходный текст |
| Ответы |
Re: pg_shadow / pg_user
Re: pg_shadow / pg_user |
| Список | pgsql-sql |
Hi friends,
I've been learning about security using Pg lately.
Up until last night I thought system user passwords were stored safely away in pg_user.
So far I haven't been able to get any passwords out only '*******'.
Then last night was observing each system table and found that pg_shadow stores user passwords in clear text.
??
pg_shadow = clear text password
pg_user = hidden password
I guess this means if an intruder gets an appropriate account on the box the can view all passwords.
I had assumed that system passwords were stored hidden from all eye balls.
Sort of like apache storing http passwords in binary form in a db.
Is this how it is ?
If so I was thinking I like to know if someone tries or succeeds in querying the pg_shadow table.
I thought maybe to increase the postmaster debug level so that all sql queries are logged.
Then write a cron job to check this log and email me if it is detected that a user is attempted or did query
the pg_shadow table.
How does this sound ?
Am I totaly on track ?
Thank for your time and attention
Kind regards
Rudi.
В списке pgsql-sql по дате отправления: