> I can "select * from pgshadow" as the database owner.
Are you saying you can do this as a database owner, not the postgres
user? I just tried it, and was not able to see the table contents:
xx=> select * from pg_shadow;ERROR: pg_shadow: Permission denied.
Yes, only the installation owner can do that. No way to do password stuff
unless the 'postgres' user can access the passwords, righ? Is that a
problem?
> > -----Original Message-----
> > From: owner-pgsql-hackers@postgreSQL.org
> > [mailto:owner-pgsql-hackers@postgreSQL.org]On Behalf Of Bruce Momjian
> > Sent: 09 July 1999 17:41
> > To: Hannu Krosing
> > Cc: Gene Sokolov; PostgreSQL-development
> > Subject: Re: [HACKERS] Updated TODO list
> >
> >
> > > > But we don't, do we? I thougth they were hashed.
> > >
> > > do
> > > select * from pg_shadow;
> > >
> > > I think that it was agreed that it is better when they
> > can't bw snatched
> > > from
> > > network than to have them hashed in db.
> > > Using currently known technologies we must either either know the
> > > original password
> > > and use challenge-response on net, or else use plaintext
> > (or equivalent)
> > > on the wire.
> >
> > Yes, I remember now, we hash them with random salt before sending them
> > to the client, and they are only visible to the postgres user.
> >
> > --
> > Bruce Momjian | http://www.op.net/~candle
> > maillist@candle.pha.pa.us | (610) 853-3000
> > + If your life is a hard drive, | 830 Blythe Avenue
> > + Christ can be your backup. | Drexel Hill,
> > Pennsylvania 19026
> >
> >
>
>
-- Bruce Momjian | http://www.op.net/~candle maillist@candle.pha.pa.us | (610)
853-3000+ If your life is a hard drive, | 830 Blythe Avenue + Christ can be your backup. | Drexel Hill,
Pennsylvania19026
