Re: psql and security
От | Peter Eisentraut |
---|---|
Тема | Re: psql and security |
Дата | |
Msg-id | Pine.LNX.4.30.0109211509120.680-100000@peter.localdomain обсуждение исходный текст |
Ответ на | psql and security (Tatsuo Ishii <t-ishii@sra.co.jp>) |
Ответы |
Re: psql and security
|
Список | pgsql-hackers |
Tatsuo Ishii writes: > As you can see, psql reconnect as any user if the password is same as > foo. Of course this is due to the careless password setting, but I > think it's better to prompt ANY TIME the user tries to switch to > another user. I'm not sure. A few users have voiced concerns about this before, but we have no count of the users that might enjoy this convenience. ;-) Basically, the attack scenario here is that if you have a psql running and leave your terminal, someone else can come in and get access to any other database that you might have access to, without knowing your password. But given a running psql, figuring out the password isn't so hard (running a debugger or inducing a core dump would be likely options), and concluding that this password is valid for all databases is trivial since that's the default setup. -- Peter Eisentraut peter_e@gmx.net http://funkturm.homeip.net/~peter
В списке pgsql-hackers по дате отправления: