Skip site navigation (1) Skip section navigation (2)

Re: Security Concerns over User 'postgres'

From: "Lane Van Ingen" <lvaningen(at)esncc(dot)com>
To: "'Tom Lane'" <tgl(at)sss(dot)pgh(dot)pa(dot)us>
Cc: <pgsql-admin(at)postgresql(dot)org>
Subject: Re: Security Concerns over User 'postgres'
Date: 2006-09-22 21:07:04
Message-ID: TWMAILNzW3l1GM3h3vL00000068@twmail.ESNCC.COM (view raw or flat)
Thread:
Lists: pgsql-admin
Looked at /etc/shadow, and (in fact) it doesn't have a password, so I was
wrong about that. 

Tried to use the login command to login directly log into postgres, but for
some reason could not do that on RHEL 4.0 either. So, like you said, I am
not certain that I have a vulnerability here at all, other than su-ing from
root.

-----Original Message-----
From: Tom Lane [mailto:tgl(at)sss(dot)pgh(dot)pa(dot)us] 
Sent: Friday, September 22, 2006 3:08 PM
To: Lane Van Ingen
Cc: pgsql-admin(at)postgresql(dot)org
Subject: Re: [ADMIN] Security Concerns over User 'postgres' 

"Lane Van Ingen" <lvaningen(at)esncc(dot)com> writes:
> We created our PostgreSQL instance by compiling it from source, and the
> instance is working just fine. User postgres runs the service; we do not
> know what the password is, and we think it got created automatically by
the
> compile / install process.

Are you sure it even *has* a password?  In the default RPM installation,
user postgres is created without any password --- the only way to become
postgres is to su there from root, and if you've got root you hardly
need to crack into postgres.

			regards, tom lane


In response to

Responses

pgsql-admin by date

Next:From: Tom LaneDate: 2006-09-22 21:59:31
Subject: Re: COPY FROM command v8.1.4
Previous:From: Marcelo CostaDate: 2006-09-22 19:38:02
Subject: Re: Security Concerns over User 'postgres'

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group