Re:

From: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
To: Servio Medina <SMedina(at)iDefense(dot)com>
Cc: "'pgsql-bugs(at)postgresql(dot)org'" <pgsql-bugs(at)postgresql(dot)org>
Subject: Re:
Date: 2000-04-25 21:58:37
Message-ID: 14685.956699917@sss.pgh.pa.us
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-bugs

Servio Medina <SMedina(at)iDefense(dot)com> writes:
> The passwords being cleartext, and readable by user postgres (and root,
> ofcourse), allows bypassing the password mechanism, and gives access to all
> databases. (compromising user 'postgres' or reading the pg_shadow file gives
> access to the usernames/passwords)

Not sure exactly what you think the vulnerability is. Postgres and root
can read all the databases anyway, so what matter whether they can read
the passwords?

Of course, if one also uses one's login password as a database password,
it'd not be too cool, but cleartext storage of the passwords is far from
the weakest link...

regards, tom lane

In response to

  • at 2000-04-25 20:04:55 from Servio Medina

Browse pgsql-bugs by date

  From Date Subject
Next Message Tom Lane 2000-04-26 05:35:33 Re: PostgreSQL 7.0 beta 4: Error in Insert/Select
Previous Message Servio Medina 2000-04-25 20:04:55