Stephen Frost wrote:
> Unfortunately, Postgres doesn't currently encrypt pg_shadow and even if
> it did you'd have to have the password stored on disk somewhere in the
> clear if you wanted the database to start automatically, which is more
> important if you havn't got backup databases and whatnot (which aren't
> really as easy to set up w/ Postgres and generally Postgres requires
> more disk space than a KDC).
Yeah, but who cares? If the attacker has enough access to the box
that they can grab the stored master password, then they can modify
the postgresql binaries and intercept the salt information (at a
minimum) as it's being sent to the client anyway.
That's because in any sane implementation, you'd store the master
password in a root-readable-only file, and have Postgres start up as
root, grab the password, and then immediately setuid() to the postgres
account, so that accessing the database itself isn't enough to allow
you to compromise the master password. If they can grab the master
password with that setup, then they have root on the box anyway and
can do anything they want.
--
Kevin Brown kevin@sysexperts.com
