| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | "Marc G(dot) Fournier" <scrappy(at)postgresql(dot)org> |
| Cc: | pgsql-hackers(at)postgresql(dot)org |
| Subject: | Re: postgres uptime |
| Date: | 2004-08-20 04:40:11 |
| Message-ID: | 16287.1092976811@sss.pgh.pa.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
"Marc G. Fournier" <scrappy(at)postgresql(dot)org> writes:
> Good point(s) ... but, what would that give an attacker? Being able to
> isolate the random seed, that is?
Well, the random seed determines the salt values that will be used to
challenge password logins. So it might help you execute a
password-replay attack, ie try just at the time when you'll be offered a
salt that you saw before. But I'm not a blackhat by nature and I'm sure
I'm missing a lot of possibilities.
> Does anyone have any 'benefits' to implementing such a thing that we can
> list? The cons appear to be easy, what about pros?
That's exactly what's bugging me --- I have not seen any particularly
strong defense of why we *should* have this function.
Your suggestion in another mail of restricting it to superusers would
eliminate most or all of the security gripes I'm raising. Whether that
still leaves it useful to the original suggestor's purpose, I dunno...
regards, tom lane
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Tom Lane | 2004-08-20 05:14:10 | Re: tablespace and sequences? |
| Previous Message | Philip Warner | 2004-08-20 04:37:24 | Re: tablespace and sequences? |