From: | Robert Haas <robertmhaas(at)gmail(dot)com> |
---|---|
To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
Cc: | jd(at)commandprompt(dot)com, pgsql-hackers(at)postgresql(dot)org |
Subject: | Re: Getting rid of the flat authentication file |
Date: | 2009-08-28 17:05:12 |
Message-ID: | 603c8f070908281005w6cd59ae0mb5d5e3e4a429a722@mail.gmail.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
On Fri, Aug 28, 2009 at 12:12 PM, Tom Lane<tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
> "Joshua D. Drake" <jd(at)commandprompt(dot)com> writes:
>> On Fri, 2009-08-28 at 11:52 -0400, Tom Lane wrote:
>>> I've thought of an easier way to handle this: if the given database name
>>> is invalid, connect to database "postgres" instead, and perform
>>> authentication using normal access to the pg_auth catalogs. If
>>> authentication succeeds, *then* throw the error about nonexistent
>>> database. If "postgres" is not there, we'd still expose existence
>>> of the original database name early, but how many installations don't
>>> have that?
>
>> I run into it all the time. People drop the postgres database as not
>> needed.
>
> Well, it isn't, unless you are worried about a third-order security
> issue like whether someone can identify database names by a brute
> force attack. The only problem if it's not there is we'll throw the
> "no such db" error before user validation instead of after. I'm feeling
> that that isn't worth a large expenditure of effort, as long as there's
> a reasonable way to configure the system so it is secure if you care
> about that.
Although this seems reasonably OK from a security point of view, it
does seem to violate the POLA.
...Robert
From | Date | Subject | |
---|---|---|---|
Next Message | Josh Berkus | 2009-08-28 17:19:07 | Re: Time-based Releases WAS: 8.5 release timetable, again |
Previous Message | Tom Lane | 2009-08-28 16:12:10 | Re: Getting rid of the flat authentication file |