Re: How to deny user changing his own password? - Mailing list pgsql-general

From Alvaro Herrera
Subject Re: How to deny user changing his own password?
Date
Msg-id 20030529205424.GG2878@dcc.uchile.cl
Whole thread Raw
In response to Re: How to deny user changing his own password?  ("Trewern, Ben" <Ben.Trewern@mowlem.com>)
List pgsql-general
On Thu, May 29, 2003 at 05:36:04PM +0100, Trewern, Ben wrote:
> Now I think about this it would be useful:  I have an Access database which
> connects to postgres and the password is saved in the access frontend.  If
> someone (not sure how!) runs ALTER USER ..... WITH PASSWORD '....'; via the
> frontend they could disrupt the connection to the postgres backend.  I'm
> sure a similar situation could happen with PHP or similar as you often don't
> use the postgres security features to secure your application.

Not sure with Access, but in general when running something backed by a
database you should not just allow arbitrary SQL reach the database.
There should be no way for any user of the application to execute an
ALTER USER query.

--
Alvaro Herrera (<alvherre[a]dcc.uchile.cl>)
"Before you were born your parents weren't as boring as they are now. They
got that way paying your bills, cleaning up your room and listening to you
tell them how idealistic you are."  -- Charles J. Sykes' advice to teenagers

pgsql-general by date:

Previous
From: "Jay O'Connor"
Date:
Subject: PLPGSQL problem with SELECT INTO
Next
From: "scott.marlowe"
Date:
Subject: Re: Postmaster only takes 4-5% CPU