> > It has to be this way, otherwise it would be possible for user to see
> > other users' passwords in pg_user. I spoke to you all about this when I
> > first started. I was going to make a separate relation (pg_password),
> > but I was convinced not to since there is a one to one correlation
> > between users and passwords. At this point I sent email to the effect
> > that pg_user could no longer be readable by the group 'public'. If it
> > was readable by public, then the passwords would have to be encrypted in
> > pg_user. If this is the case, then the frontends will have to pass an
> > unencrypted password over the network. Again this degrades the security
> > of PostgreSQL.
> >
> > The real solution to this problem would be to create a pg_privileges
> > relation, overhauling the privileges system entirely. Then we could
> > just restrict access to the password column of pg_user. However, I
> > would suggest that the entire pg_privileges table be cached in shared
> > memory to speed things up. I am unsure if the catalog table are cached
> > in shared memory or not (They really should be, but then this would
> > probably require some logging to files in case of system crash).
> >
> > In the meantime, there should really be nothing that the average user
> > will need from pg_user. The '\d' is the only problem I have encountered
> > thus far, and I hope to solve that problem soon. Therefore, if you
> > really, really need something from pg_user, then you need to have select
> > privileges given to you explicitly, or you could explicitly give them to
> > public. This would, however, give public the ability to see user
> > passwords (If you are using, HBA only, then just give public the select
> > over pg_user).
>
> Wait, let me just get this straight here...pg_user is, by default,
> unreadable by the general public, but is changeable just using a simple
> grant/revoke??
>
> If so, I'm confused as to why this is a bad thing? Bruce? Sort
> of seems to me that its like the TCP/Unix Socket argument...go to the most
> secure first, then let the one setting it up downgrade as they feel is
> appropriate...no?
OK, general question. Does pg_user need to be readable? Do
non-postgres users want to see who owns each table? I don't know.
--
Bruce Momjian
maillist@candle.pha.pa.us