Postgres Pro
Downloads
Home   >   mailing lists

Re: AW: [HACKERS] Solution to the pg_user passwd problem !?? (c) - Mailing list pgsql-hackers

From Bruce Momjian
Subject Re: AW: [HACKERS] Solution to the pg_user passwd problem !?? (c)
Date
Msg-id 199802191507.KAA19472@candle.pha.pa.us
Whole thread Raw
In response to AW: [HACKERS] Solution to the pg_user passwd problem !?? (c)  (Zeugswetter Andreas SARZ <Andreas.Zeugswetter@telecom.at>)
List pgsql-hackers
Tree view 
Well, seeing as Jan is one of the rewrite/rules system experts, let's
ask him.

>
> Okay    :-(
>
> But: I think this is an error in the rewrite system. I think this query
> should get rewritten !
> Can we fix this ?
>
> Andreas
> > ----------
> > Von:     Jan Wieck[SMTP:jwieck@debis.com]
> > Antwort an:     Jan Wieck
> > Gesendet:     Donnerstag, 19. Februar 1998 15:53
> > An:     Zeugswetter Andreas SARZ
> > Cc:     pgsql-hackers@hub.org
> > Betreff:     Re: [HACKERS] Solution to the pg_user passwd problem !?? (c)
> >
> > >
> > > Hi all,
> > >
> > > What about:
> > > grant select on pg_user to public;
> > > create rule pg_user_hide_pw as on
> > > select to pg_user.passwd
> > > do instead select '********' as passwd;
> > >
> > > Then if I do:
> > > select * from pg_user;
> > > usename |usesysid|usecreatedb|usetrace|usesuper|usecatupd|passwd
> > |valuntil
> > >
> > --------+--------+-----------+--------+--------+---------+--------+-------
> > --
> > > -------------------
> > > postgres|       6|t          |t       |t       |t        |********|Sat
> > Jan
> > > 31 07:00:00 2037 NFT
> > > zeus    |      60|t          |t       |f       |t        |********|
> > > (2 rows)
> > >
> > > Also the \d works for all users !
> > >
> > > Only "disadvantage" is that noone can read passwd without first dropping
> > the
> > > rule pg_user_hide_pw,
> > > I consider this a feature though ;-)
> > >
> > > Since the userauthentication bypasses the rewrite mechanism the logins,
> > > alter user .. and others do work !
> > >
> > > Can all of you try to crack this ?
> >
> >     Cracked!
> >
> >     create table get_passwds (usename name, passwd text);
> >     insert into get_passwds select usename, passwd from pg_user;
> >     select * from get_passwds;
> >     usename|passwd
> >     -------+------
> >     pgsql  |
> >     wieck  |test
> >     (2 rows)
> >
> >
> >
> > Sorry, Jan
> >
> > --
> >
> > #======================================================================#
> > # It's easier to get forgiveness for being wrong than for being right. #
> > # Let's break this rule - forgive me.                                  #
> > #======================================== jwieck@debis.com (Jan Wieck) #
> >
> >
> >
>
>


--
Bruce Momjian
maillist@candle.pha.pa.us

pgsql-hackers by date:

Previous
From: Bruce Momjian
Date:
Subject: Running pgindent
Next
From: Zeugswetter Andreas SARZ
Date:
Subject: AW: [HACKERS] Solution to the pg_user passwd problem !?? (c)