Andrew Dunstan wrote:
>>
>
> It strikes me that this is actually a bad thing for pgadmin3 to be
> doing. It should use its own file, not the deafult location, at least
> if the libpq version is >= 8.1. We provided the PGPASSFILE environment
> setting just so programs like this could use alternative locations for
> the pgpass file. Otherwise, it seems to me we are violating the POLS,
> as in the case of this user who not unnaturally thought he had found a
> major security hole.
.pgpass is THE mechanism for storing libpq passwords, so what is wrong?
If the account is assumed insecure, the user shouldn't check "store
password" in pgadmin3.
That's a libpq issue, not a pgadmin3 issue.
Regards,
Andreas