On Fri, Aug 28, 2009 at 12:12 PM, Tom Lane<tgl@sss.pgh.pa.us> wrote:
> "Joshua D. Drake" <jd@commandprompt.com> writes:
>> On Fri, 2009-08-28 at 11:52 -0400, Tom Lane wrote:
>>> I've thought of an easier way to handle this: if the given database name
>>> is invalid, connect to database "postgres" instead, and perform
>>> authentication using normal access to the pg_auth catalogs. If
>>> authentication succeeds, *then* throw the error about nonexistent
>>> database. If "postgres" is not there, we'd still expose existence
>>> of the original database name early, but how many installations don't
>>> have that?
>
>> I run into it all the time. People drop the postgres database as not
>> needed.
>
> Well, it isn't, unless you are worried about a third-order security
> issue like whether someone can identify database names by a brute
> force attack. The only problem if it's not there is we'll throw the
> "no such db" error before user validation instead of after. I'm feeling
> that that isn't worth a large expenditure of effort, as long as there's
> a reasonable way to configure the system so it is secure if you care
> about that.
Although this seems reasonably OK from a security point of view, it
does seem to violate the POLA.
...Robert