Skip site navigation (1) Skip section navigation (2)

Re: psql and security

From: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
To: Tatsuo Ishii <t-ishii(at)sra(dot)co(dot)jp>
Cc: pgsql-hackers(at)postgresql(dot)org
Subject: Re: psql and security
Date: 2001-09-21 14:29:38
Message-ID: 28061.1001082578@sss.pgh.pa.us (view raw or flat)
Thread:
Lists: pgsql-generalpgsql-hackers
Tatsuo Ishii <t-ishii(at)sra(dot)co(dot)jp> writes:
> As you can see, psql reconnect as any user if the password is same as
> foo. Of course this is due to the careless password setting, but I
> think it's better to prompt ANY TIME the user tries to switch to
> another user. Comments?

Yeah, I agree.  Looks like a simple change in dbconnect():

    /*
     * Use old password if no new one given (if you didn't have an old
     * one, fine)
     */
    if (!pwparam && oldconn)
        pwparam = PQpass(oldconn);

to

    /*
     * Use old password (if any) if no new one given and we are
     * reconnecting as same user
     */
    if (!pwparam && oldconn && PQuser(oldconn) && userparam &&
        strcmp(PQuser(oldconn), userparam) == 0)
        pwparam = PQpass(oldconn);

			regards, tom lane

In response to

Responses

pgsql-hackers by date

Next:From: Tom LaneDate: 2001-09-21 14:32:33
Subject: Re: [HACKERS] psql and security
Previous:From: Otto HirrDate: 2001-09-21 14:23:09
Subject: Re: cvsup trouble - ODBC blown away !?!?

pgsql-general by date

Next:From: Tom LaneDate: 2001-09-21 14:32:33
Subject: Re: [HACKERS] psql and security
Previous:From: Peter EisentrautDate: 2001-09-21 13:16:37
Subject: Re: psql and security

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group