Tom Lane wrote:
>
> "Sergio A. Kessler" <ser@perio.unlp.edu.ar> writes:
> > what is the funcionality of the file pg_pwd in $PG_DATA ?
> > (no, there is _nothing_ in the docs)
>
> That's cause you don't need to know ;-)
>
> Seriously, it's a flat-file copy of pg_shadow, used by the postmaster
> to do password verification. (The postmaster can't look directly at
> pg_shadow because it cannot participate in database operations.)
> See doc/TODO.detail/pg_shadow.
where ? can you post an absolute url ?
> > and why is world =writable & readable= ?
> > (hey, everybody, wanna know my passwd ?)
>
> It's not really a security hole because it lives inside a directory
> that's mode 700 (unless you tampered with the default permissions
> setup).
in rh6.1 /var/lib/pgsql is 755 (and no, I haven't changed anything)
can you spell "2_KM_DIAMETER_HOLE" ?
> However, I agree it oughta be changed anyway.
having a text file with usernames and *passwords in clear*
world readable & writable make me feel nervous, pretty nervous.
indeed the root user (who isn't the dba) can know anything too
easy...
--
-= Sergio A. Kessler == http://sak.org.ar =-
You can have it soon, cheap and working; choose *two*.
