| From: | Alvaro Herrera <alvherre(at)dcc(dot)uchile(dot)cl> |
|---|---|
| To: | "Trewern, Ben" <Ben(dot)Trewern(at)mowlem(dot)com> |
| Cc: | 'Jan Wieck' <JanWieck(at)Yahoo(dot)com>, adeon <adeon(at)tlen(dot)pl>, pgsql-general(at)postgresql(dot)org |
| Subject: | Re: How to deny user changing his own password? |
| Date: | 2003-05-29 20:54:24 |
| Message-ID: | 20030529205424.GG2878@dcc.uchile.cl |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
On Thu, May 29, 2003 at 05:36:04PM +0100, Trewern, Ben wrote:
> Now I think about this it would be useful: I have an Access database which
> connects to postgres and the password is saved in the access frontend. If
> someone (not sure how!) runs ALTER USER ..... WITH PASSWORD '....'; via the
> frontend they could disrupt the connection to the postgres backend. I'm
> sure a similar situation could happen with PHP or similar as you often don't
> use the postgres security features to secure your application.
Not sure with Access, but in general when running something backed by a
database you should not just allow arbitrary SQL reach the database.
There should be no way for any user of the application to execute an
ALTER USER query.
--
Alvaro Herrera (<alvherre[a]dcc.uchile.cl>)
"Before you were born your parents weren't as boring as they are now. They
got that way paying your bills, cleaning up your room and listening to you
tell them how idealistic you are." -- Charles J. Sykes' advice to teenagers
| From | Date | Subject | |
|---|---|---|---|
| Next Message | scott.marlowe | 2003-05-29 20:56:16 | Re: Postmaster only takes 4-5% CPU |
| Previous Message | scott.marlowe | 2003-05-29 20:31:11 | Re: FW: Blocking access to the database?? |