Re: Minimising windows installer password confusion
| От | Florian Pflug |
|---|---|
| Тема | Re: Minimising windows installer password confusion |
| Дата | |
| Msg-id | 036231D3-C48A-4236-9AE9-ADD1F271AD13@phlo.org обсуждение исходный текст |
| Ответ на | Re: Minimising windows installer password confusion (Dave Page <dpage@pgadmin.org>) |
| Ответы |
Re: Minimising windows installer password confusion
(Craig Ringer <craig@postnewspapers.com.au>)
|
| Список | pgsql-hackers |
On Jun13, 2012, at 11:10 , Dave Page wrote: > On Wed, Jun 13, 2012 at 2:12 AM, Craig Ringer > <craig@postnewspapers.com.au> wrote: >> >> Users don't remember passwords, though. It's one of those constants, and is >> why practically every web site etc out there offers password recovery. >> >> The installer IMO needs to store the postgres account password in a registry >> key with permissions set so that only users with local admin rights (ie: who >> can use the installer) can view it. I don't like the idea of storing a >> password, but it's only going to be accessible if you already have rights to >> the registry as local admin, in which case the attacker can just reset it >> themselves (or root your machine). So long as they installer warns that the >> password shouldn't be one you use elsewhere because it can be recovered from >> your computer, I don't see a problem.--- > > The idea of storing the password in clear text in the registry gives > me nervous twitches. Whilst is should be secure if done as you > suggest, a) a simple mistake could leave it vulnerable and give us an > embarrassing security issue to deal with. It also doesn't help us in > the cases where users have another installation of PostgreSQL from > somewhere that doesn't store the password (which is likely to be the > case for years to come, even if it was our installer that was used > previously). Hm, doesn't the registry already contain the postgres service account's password? AFAIR, on windows you cannot really impersonate an account without knowing it's password, which is the reason why a) the password of a user account is stored in the registry if you enable auto-logon and b) you need to know the service account's password to create a service. Some googling brought up a tool called isvcpwd[1] which seems to be able to change service account passwords without breaking services. Judging from a brief glance over the source code, it does so by iterating over all services domain-wide, and adjusting the service definition of those which rely on the modified account(s). So that seems to support the theory that the passwords are stored in the individual machine's registries. Some further googling indicates that, yes, the service account passwords are stored in the registry, but are only accessible to the LocalSystem account [2]. Querying them from the postgres installer thus isn't really an option. But what you could do, I guess, is to offer the user the ability to change the password, and using the approach from [1] to update the affected service definitions afterwards. best regards, Florian Pflug [1] https://www.itefix.no/i2/isvcpwd [2] http://www.windowsnetworking.com/kbase/windowstips/windowsnt/registrytips/miscellaneous/LSASecrets.html
В списке pgsql-hackers по дате отправления: