Re: psql and security - Mailing list pgsql-hackers

From Bruce Momjian
Subject Re: psql and security
Date
Msg-id 200110111654.f9BGsMn20407@candle.pha.pa.us
Whole thread Raw
In response to Re: psql and security  (Tom Lane <tgl@sss.pgh.pa.us>)
List pgsql-hackers
Patch applied.  Thanks Tatsuo and Tom.

> Tatsuo Ishii <t-ishii@sra.co.jp> writes:
> > As you can see, psql reconnect as any user if the password is same as
> > foo. Of course this is due to the careless password setting, but I
> > think it's better to prompt ANY TIME the user tries to switch to
> > another user. Comments?
> 
> Yeah, I agree.  Looks like a simple change in dbconnect():
> 
>     /*
>      * Use old password if no new one given (if you didn't have an old
>      * one, fine)
>      */
>     if (!pwparam && oldconn)
>         pwparam = PQpass(oldconn);
> 
> to
> 
>     /*
>      * Use old password (if any) if no new one given and we are
>      * reconnecting as same user
>      */
>     if (!pwparam && oldconn && PQuser(oldconn) && userparam &&
>         strcmp(PQuser(oldconn), userparam) == 0)
>         pwparam = PQpass(oldconn);
> 
>             regards, tom lane
> 
> ---------------------------(end of broadcast)---------------------------
> TIP 3: if posting/reading through Usenet, please send an appropriate
> subscribe-nomail command to majordomo@postgresql.org so that your
> message can get through to the mailing list cleanly
> 

--  Bruce Momjian                        |  http://candle.pha.pa.us pgman@candle.pha.pa.us               |  (610)
853-3000+  If your life is a hard drive,     |  830 Blythe Avenue +  Christ can be your backup.        |  Drexel Hill,
Pennsylvania19026
 


pgsql-hackers by date:

Previous
From: Bruce Momjian
Date:
Subject: Re: syslog by default?
Next
From: steve
Date:
Subject: Re: pg_dump oid problems