Re: password leak in mylog thru win odbc - Mailing list pgsql-odbc

From Chris Gamache
Subject Re: password leak in mylog thru win odbc
Date
Msg-id 20030320213249.943.qmail@web13807.mail.yahoo.com
Whole thread Raw
In response to Re: password leak in mylog thru win odbc  ("pg" <pg@newhonest.com>)
List pgsql-odbc
--- pg <pg@newhonest.com> wrote:
> Thank you for your suggestion.
> 1. Does the pgExpress work with VB?

My mistake... It is a Delphi dbExpress component. There is a native access
ActiveX component distributed by dbExperts (www.dbExperts.net) with their
dbExperts PostgreSQL. I believe it is a single threaded ActiveX .dll, which
would preclude using it in a server environment. However, in a single user
environment (one or many single-client applications, all running on seperate
machines, connecting to one back-end database), it might do the trick.

> 2. Should the commonly used win 32 ODBC consider some way to stop the leak
> I'm talking about? My suggestion : mylog can be enabled only when the user
> (the one who wants to enable the log) has the rights at the server side. So
> each connection will has different rights and mylogs.

ODBC is strictly a client-side interface protocol. Its logging functions
originate and terminate on the client side. In some cases, ODBC is used
serverside as a client interface. If the user has control over the ODBC
component, then they have control over its logging functions. Without knowing
your network architecture, and the proposed deployment for your application,
the best that I can suggest is to not use ODBC, and use a native interface or
another middle-tier solution that meets your specifications.

>
> -Jason
>
> ----- Original Message -----
> From: "Chris Gamache" <cgg007@yahoo.com>
> To: "pg" <pg@newhonest.com>; <pgsql-odbc@postgresql.org>
> Sent: Wednesday, March 19, 2003 11:31 PM
> Subject: Re: [ODBC] password leak in mylog thru win odbc
>
>
> > Several suggestions:
> >
> > Use a different authentication method like Ident... That won't work if
> you've
> > already implimented a widespread password authentication system, though.
> >
> > Modify the code to the ODBC driver to obscure the password from logs. That
> > might make it hard to troubleshoot authentication issues, though. It also
> won't
> > help if you're distributing this application. All the user would have to
> do is
> > to install a different pgodbc driver without the obscured logfiles, and
> you're
> > back to square one.
> >
> > Upgrade to Windows 2000/XP and put the logfile in a directory with
> write-only
> > access for the system account that ODBC runs under (system I think...
> don't
> > take my word for it, though) and only allow reading by administrator or
> your
> > super user account... That won't help if you're distributing an
> application.
> >
> > Ditch ODBC altogether and use pgExpress from www.vitavoom.com. It uses
> libpq
> > for native access to PostgreSQL. There are no hooks for the user to get
> into
> > there, AFAIK...
> >
> > HTH,
> >
> > CG
> >
> >
> > --- pg <pg@newhonest.com> wrote:
> > > I'm using Win ME. I'm trying to write a program in VB and connects to PG
> > > with super-user account (or with a "connection user" with many rights).
> The
> > > detail user rights are embeded in the VB program for detail control, so
> that
> > > no one should know the connection user. Users only knows their own
> password
> > > for that VB program, so their password is only useful with that VB
> program.
> > >
> > > But if a user enable the mylog in odbc, the password (pwd) shows up
> there in
> > > mylogxxxxx.
> > >
> > > What can I do to hide the password?
> > >
> > > -Jason
> > >
> > >
> > > ---------------------------(end of broadcast)---------------------------
> > > TIP 4: Don't 'kill -9' the postmaster
> >
> >
> > __________________________________________________
> > Do you Yahoo!?
> > Yahoo! Platinum - Watch CBS' NCAA March Madness, live on your desktop!
> > http://platinum.yahoo.com
> >
>


__________________________________________________
Do you Yahoo!?
Yahoo! Platinum - Watch CBS' NCAA March Madness, live on your desktop!
http://platinum.yahoo.com

pgsql-odbc by date:

Previous
From: "Henshall, Stuart - Design & Print"
Date:
Subject: Re: The way Access/ODBC does updates to records
Next
From: "Dave Page"
Date:
Subject: Re: password leak in mylog thru win odbc