Postgres Pro
Downloads
Home   >   mailing lists

Solution to the pg_user passwd problem !?? (c) - Mailing list pgsql-hackers

From Zeugswetter Andreas SARZ
Subject Solution to the pg_user passwd problem !?? (c)
Date
Msg-id 219F68D65015D011A8E000006F8590C6010A51E3@sdexcsrv1.sd.spardat.at
Whole thread Raw
Responses Re: [HACKERS] Solution to the pg_user passwd problem !?? (c)  (The Hermit Hacker <scrappy@hub.org>)
Re: [HACKERS] Solution to the pg_user passwd problem !?? (c)  (jwieck@debis.com (Jan Wieck))
Re: [HACKERS] Solution to the pg_user passwd problem !?? (c)  (Bruce Momjian <maillist@candle.pha.pa.us>)
List pgsql-hackers
Tree view 
Hi all,

What about:
grant select on pg_user to public;
create rule pg_user_hide_pw as on
select to pg_user.passwd
do instead select '********' as passwd;

Then if I do:
select * from pg_user;
usename |usesysid|usecreatedb|usetrace|usesuper|usecatupd|passwd  |valuntil
--------+--------+-----------+--------+--------+---------+--------+---------
-------------------
postgres|       6|t          |t       |t       |t        |********|Sat Jan
31 07:00:00 2037 NFT
zeus    |      60|t          |t       |f       |t        |********|
(2 rows)

Also the \d works for all users !

Only "disadvantage" is that noone can read passwd without first dropping the
rule pg_user_hide_pw,
I consider this a feature though ;-)

Since the userauthentication bypasses the rewrite mechanism the logins,
alter user .. and others do work !

Can all of you try to crack this ?

(c) Andreas Zeugswetter

Copyright by Andreas Zeugswetter 1998 contributed to the postgresql project
;-)
Wow, I am actually proud of this (so far, and hope it holds what I think it
does)

pgsql-hackers by date:

Previous
From: Michael Meskes
Date:
Subject: Re: pg_user permissions problem (Was: Re: [HACKERS] RE: New ecgp code problem.)
Next
From: The Hermit Hacker
Date:
Subject: Re: [HACKERS] Solution to the pg_user passwd problem !?? (c)