Обсуждение: prevent user change password?

Поиск
Список
Период
Сортировка

prevent user change password?

От
Richard Hayward
Дата:
Is it possible to prevent a user from changing their password?

I have a database with a 'Guest' account, that will have limited
access. I don't want any of my guests to change the Guest account
password.

tia
Richard

Re: prevent user change password?

От
Tom Lane
Дата:
Richard Hayward <richard@tortoise.demon.co.uk> writes:
> Is it possible to prevent a user from changing their password?

No.

> I have a database with a 'Guest' account, that will have limited
> access. I don't want any of my guests to change the Guest account
> password.

Perhaps you should use something other than password authentication
for the guest account.

            regards, tom lane

Re: prevent user change password?

От
Bruno Wolff III
Дата:
On Tue, May 31, 2005 at 18:03:04 +0100,
  Richard Hayward <richard@tortoise.demon.co.uk> wrote:
> Is it possible to prevent a user from changing their password?
>
> I have a database with a 'Guest' account, that will have limited
> access. I don't want any of my guests to change the Guest account
> password.

Your best solution is probably to tell them not to change the password.
It is very unlikely anyone would do this by accident and if you don't
trust them enough to not do it delibrately, then they probably shouldn't
be sharing an account.

Re: prevent user change password?

От
Richard Hayward
Дата:
On Wed, 01 Jun 2005 11:39:22 -0400, tgl@sss.pgh.pa.us (Tom Lane)
wrote:

>> I have a database with a 'Guest' account, that will have limited
>> access. I don't want any of my guests to change the Guest account
>> password.
>
>Perhaps you should use something other than password authentication
>for the guest account.

Thanks for your reply Tom,

I want anyone from anywhere to be able to connect to my_database (only
my_database,  not others in the cluster) using the guest account. The
system is to be live on the Internet.

Putting:

host  my_database  guest   0.0.0.0      0.0.0.0  trust

ahead of other entries in pg_hba.conf seems to do the trick. Even if
guest is given a password, or it gets changed, guest can connect
without being asked for it.

The guest account will only be allowed select permissions.

Does this open me to being attacked? I assume guest could then query
various system tables, but that other users passwords are either not
visible or securely encrypted.

regards
Richard

Re: prevent user change password?

От
Tom Lane
Дата:
Richard Hayward <richard@tortoise.demon.co.uk> writes:
> On Wed, 01 Jun 2005 11:39:22 -0400, tgl@sss.pgh.pa.us (Tom Lane)
> wrote:
>> Perhaps you should use something other than password authentication
>> for the guest account.

> I want anyone from anywhere to be able to connect to my_database (only
> my_database,  not others in the cluster) using the guest account. The
> system is to be live on the Internet.

> Putting:

> host  my_database  guest   0.0.0.0      0.0.0.0  trust

> ahead of other entries in pg_hba.conf seems to do the trick. Even if
> guest is given a password, or it gets changed, guest can connect
> without being asked for it.

> The guest account will only be allowed select permissions.

> Does this open me to being attacked? I assume guest could then query
> various system tables, but that other users passwords are either not
> visible or securely encrypted.

I'd be inclined to use a postmaster dedicated *only* to that purpose,
running under a Unix userid also dedicated to that purpose.  We do come
across security holes from time to time ...

            regards, tom lane