From: | Andrew Dunstan <andrew(at)dunslane(dot)net> |
---|---|
To: | Dave Page <dpage(at)vale-housing(dot)co(dot)uk> |
Cc: | Hiroshi Saito <z-saito(at)guitar(dot)ocn(dot)ne(dot)jp>, Thomas Bley <thbley(at)gmail(dot)com>, pgsql-hackers(at)postgresql(dot)org |
Subject: | Re: password is no required, authentication is overridden |
Date: | 2006-07-19 14:19:46 |
Message-ID: | 44BE3F82.7090500@dunslane.net |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
Dave Page wrote:
>
>
>
>
>>-----Original Message-----
>>From: pgsql-hackers-owner(at)postgresql(dot)org
>>[mailto:pgsql-hackers-owner(at)postgresql(dot)org] On Behalf Of
>>Andrew Dunstan
>>Sent: 19 July 2006 13:55
>>To: Hiroshi Saito
>>Cc: Thomas Bley; pgsql-hackers(at)postgresql(dot)org
>>Subject: Re: [HACKERS] password is no required,
>>authentication is overridden
>>
>>
>>I don't understand what you are saying here. The problem is
>>that it is
>>not clear (at least to the original user, and maybe to
>>others) that when
>>pgadmin3 saves a password it saves it where it will be found by all
>>libpq clients, not just by pgadmin3.
>>
>>
>
>From: http://www.pgadmin.org/docs/1.4/connect.html
>
>If you select "store password", pgAdmin stores passwords you enter in
>the ~/.pgpass file under *nix or %APPDATA%\postgresql\pgpass.conf under
>Win32 for later reuse. For details, see pgpass documentation. It will be
>used for all libpq based tools. If you want the password removed, you
>can select the server's properties and uncheck the selection any time.
>
>
>
OK, although I am not sure I think that is sensible - it is at least
documented. Does the dialog box also carry similar info?
>
>
>>How is that optimal? If pgadmin3
>>were to save it in a non-standard location and then set PGPASSFILE to
>>point to that location that would solve the problem. Or maybe
>>it should
>>offer a choice. Either way, how would a malicious user affect that?
>>PGPASSFILE only contains a location, not the contents of the file, so
>>exposing it is not any great security issue, as long as the
>>location is
>>itself protected.
>>
>>
>
>We have no sensible way of determining whether or not the libpq we are
>running with supports PGPASSFILE.
>
>
>
>
Well, this answer is better. The lack of an API to tell you the library
version is possibly worrying, though.
cheers
andrew
From | Date | Subject | |
---|---|---|---|
Next Message | Gregory Stark | 2006-07-19 14:23:49 | How to refer to standard functions? |
Previous Message | Susanne Ebrecht | 2006-07-19 14:13:36 | extension for sql update |