| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | Tatsuo Ishii <t-ishii(at)sra(dot)co(dot)jp> |
| Cc: | pgsql-hackers(at)postgresql(dot)org |
| Subject: | Re: psql and security |
| Date: | 2001-09-21 14:29:38 |
| Message-ID: | 28061.1001082578@sss.pgh.pa.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general pgsql-hackers |
Tatsuo Ishii <t-ishii(at)sra(dot)co(dot)jp> writes:
> As you can see, psql reconnect as any user if the password is same as
> foo. Of course this is due to the careless password setting, but I
> think it's better to prompt ANY TIME the user tries to switch to
> another user. Comments?
Yeah, I agree. Looks like a simple change in dbconnect():
/*
* Use old password if no new one given (if you didn't have an old
* one, fine)
*/
if (!pwparam && oldconn)
pwparam = PQpass(oldconn);
to
/*
* Use old password (if any) if no new one given and we are
* reconnecting as same user
*/
if (!pwparam && oldconn && PQuser(oldconn) && userparam &&
strcmp(PQuser(oldconn), userparam) == 0)
pwparam = PQpass(oldconn);
regards, tom lane
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Tom Lane | 2001-09-21 14:32:33 | Re: [HACKERS] psql and security |
| Previous Message | Peter Eisentraut | 2001-09-21 13:16:37 | Re: psql and security |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Tom Lane | 2001-09-21 14:32:33 | Re: [HACKERS] psql and security |
| Previous Message | Otto Hirr | 2001-09-21 14:23:09 | Re: cvsup trouble - ODBC blown away !?!? |