Skip site navigation (1) Skip section navigation (2)

Re: How to deny user changing his own password?

From: Alvaro Herrera <alvherre(at)dcc(dot)uchile(dot)cl>
To: "Trewern, Ben" <Ben(dot)Trewern(at)mowlem(dot)com>
Cc: 'Jan Wieck' <JanWieck(at)Yahoo(dot)com>, adeon <adeon(at)tlen(dot)pl>,pgsql-general(at)postgresql(dot)org
Subject: Re: How to deny user changing his own password?
Date: 2003-05-29 20:54:24
Message-ID: 20030529205424.GG2878@dcc.uchile.cl (view raw or flat)
Thread:
Lists: pgsql-general
On Thu, May 29, 2003 at 05:36:04PM +0100, Trewern, Ben wrote:
> Now I think about this it would be useful:  I have an Access database which
> connects to postgres and the password is saved in the access frontend.  If
> someone (not sure how!) runs ALTER USER ..... WITH PASSWORD '....'; via the
> frontend they could disrupt the connection to the postgres backend.  I'm
> sure a similar situation could happen with PHP or similar as you often don't
> use the postgres security features to secure your application.

Not sure with Access, but in general when running something backed by a
database you should not just allow arbitrary SQL reach the database.
There should be no way for any user of the application to execute an
ALTER USER query.

-- 
Alvaro Herrera (<alvherre[a]dcc.uchile.cl>)
"Before you were born your parents weren't as boring as they are now. They
got that way paying your bills, cleaning up your room and listening to you
tell them how idealistic you are."  -- Charles J. Sykes' advice to teenagers

In response to

pgsql-general by date

Next:From: scott.marloweDate: 2003-05-29 20:56:16
Subject: Re: Postmaster only takes 4-5% CPU
Previous:From: scott.marloweDate: 2003-05-29 20:31:11
Subject: Re: FW: Blocking access to the database??

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group