Re: Password issue revisited

Added to TODO for Win32:

o Check .pgpass file permissions

---------------------------------------------------------------------------

Shane Ambler wrote:
> Michael Schmidt wrote:
> > Fellow PostgreSQL fans,
>
> > 1. I don't see that this would pose a major security risk. In
> > fact, in applications where the user enters the password for each
> > session, the password need never be saved to disk, which seems a
> > definite security advantage. Some folks have noted that .pgpass is
> > a plain text file, hence it could be vulnerable.
>
> Yes it is a plain text file but if you want to use it then you need to
> ensure the security is sufficient on the file or it won't be used.
>
> As per the manual -
>
> > The permissions on .pgpass must disallow any access to world or
> group; > achieve this by the command chmod 0600 ~/.pgpass. If the
> permissions
> > are less strict than this, the file will be ignored. (The file
> > permissions are not currently checked on Microsoft Windows, however.)
>
>
> So this security feature should be something that gets added to the
> windows version. But otherwise the security of the user's account that
> has a .pgpass file is the decider on whether it is vulnerable.
>
>
> --
>
> Shane Ambler
> pgSQL(at)007Marketing(dot)com
>
> Get Sheeky @ http://Sheeky.Biz
>
> ---------------------------(end of broadcast)---------------------------
> TIP 4: Have you searched our list archives?
>
> http://archives.postgresql.org/

--
Bruce Momjian <bruce(at)momjian(dot)us> http://momjian.us
EnterpriseDB http://www.enterprisedb.com

+ If your life is a hard drive, Christ can be your backup. +