| From: | Julius Tuskenis <julius(at)nsoft(dot)lt> |
|---|---|
| To: | |
| Cc: | pgadmin-support(at)postgresql(dot)org |
| Subject: | Re: pgadmin security issue |
| Date: | 2008-04-23 07:11:56 |
| Message-ID: | 480EE13C.9010103@nsoft.lt |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgadmin-support |
Hi, Suren,
> //
>
> */PROBLEM 1/*
>
> /Even though we can restrict a user for couple of databases , the user
> can disconnect from the current session and edit the connection
> properties/
>
> /SO this means he could remove the /DB restriction field/ “ datname IN
> ('live_db', 'test_db') “ and reconnect and see all the other databases/
>
> / /
>
> /I recommend setting up a admin account at the time of installing
> pgadmin and only by login in to the admin account of pgadmin should be
> able to create, edit and view connection properties/
>
I think its not pgAdmin you should set permitions on. You should not
grant your user to connect to databases you don't want him to (in
postgreSQL).
>
> //
>
> / /
>
> */PROBLEM 2/*
>
> /When making a connection to the DB server with pgadmin if u use a
> valid db name and a valid user login name/
>
> /Then pgadmin will allow access to the database with out checking the
> password/
>
> /I mean if I type a wrong password BUT if the user account and the
> database is valid I will still be able to access the database/
>
> / /
>
> /I’m new to postgres so I’m not sure if this is a real bug or if this
> is a feature , Please update me ASAP/
>
> /Thanks/
>
> /Suren/
>
configure your postgresql. In file pg_hba.conf that you have "md5"
identification method, not "trust".
--
Julius Tuskenis
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Dave Page | 2008-04-23 07:50:44 | Re: pgadmin security issue |
| Previous Message | Suren Manatunga | 2008-04-23 06:56:08 | pgadmin security issue |