| From: | Peter Eisentraut <peter_e(at)gmx(dot)net> |
|---|---|
| To: | Anthony Metzidis <metzidis(at)mednet(dot)ucla(dot)edu> |
| Cc: | <pgsql-general(at)postgresql(dot)org> |
| Subject: | Re: PG_PWD and PG_PASSWORD Security |
| Date: | 2001-03-01 19:05:53 |
| Message-ID: | Pine.LNX.4.30.0103012002540.760-100000@peter.localdomain |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
Anthony Metzidis writes:
> Is there any way to keep postgres from saving the passwords in plain
> text?
No.
> This seems to be a huge security hole.
No, because the directory that contains these files shouldn't be world
readable. The issue has been noted though, but no one has implemented a
better solution yet.
> I thought that passwords were to be saved in PG_SHADOW. What is
> PG_SHADOW for anyway?
Pg_shadow is the system catalog table that stores the user information,
such as user name and password. The pg_pwd file is a plain text dump of
pg_shadow, which is necessary because at the time the password is needed
(during the connection attempt), the system can't read the pg_shadow table
yet (because it's not connected yet, sort of).
--
Peter Eisentraut peter_e(at)gmx(dot)net http://yi.org/peter-e/
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Tom Lane | 2001-03-01 19:07:05 | Re: Postgres eats up memory when using cursors |
| Previous Message | Peter T. Brown | 2001-03-01 18:53:11 | restore from base |