| From: | Sam Mason <sam(at)samason(dot)me(dot)uk> |
|---|---|
| To: | pgsql-general(at)postgresql(dot)org |
| Subject: | Re: How to know the password for the user 'postgres' |
| Date: | 2008-10-28 13:27:14 |
| Message-ID: | 20081028132714.GW2459@frubble.xen.chris-lamb.co.uk |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
On Tue, Oct 28, 2008 at 01:43:08PM +0100, Thomas wrote:
> Yes this allows to login remotely through ssh for instance. But it
> doesn't offer a bigger backdoor than having a weak password on a sudo
> account.
In my eyes, the you've just increased the attack surface available for
getting the data---you've gone from a single account to two. Having
a weak password on the sudo account is still a way in, in addition
to breaking the postgres password. In practical terms this should
affect things materially; if you've got a strong password on the sudoers
account you're likely to have a strong one on the postgres account and
vice versa.
Sam
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Reid Thompson | 2008-10-28 13:58:57 | Re: Piping CSV data to psql when executing COPY .. FROM STDIN |
| Previous Message | Grzegorz Jaśkiewicz | 2008-10-28 13:23:31 | Re: [Help] Config Failure on Mac OSX: psqlodbc-08.03.0300 |