Re: Password issue revisited - Mailing list pgsql-general

From Shane Ambler
Subject Re: Password issue revisited
Date
Msg-id 45BCACDB.5050702@007Marketing.com
Whole thread Raw
In response to Password issue revisited  ("Michael Schmidt" <michaelmschmidt@msn.com>)
Responses Re: Password issue revisited  (Bruce Momjian <bruce@momjian.us>)
List pgsql-general
Michael Schmidt wrote:
> Fellow PostgreSQL fans,

> 1.  I don't see that this would pose a major security risk.  In
 > fact, in applications where the user enters the password for each
 > session, the password need never be saved to disk, which seems a
 > definite security advantage.  Some folks have noted that .pgpass is
 > a plain text file, hence it could be vulnerable.

Yes it is a plain text file but if you want to use it then you need to
ensure the security is sufficient on the file or it won't be used.

As per the manual -

 > The permissions on .pgpass must disallow any access to world or
group; > achieve this by the command chmod 0600 ~/.pgpass. If the
permissions
 > are less strict than this, the file will be ignored. (The file
 > permissions are not currently checked on Microsoft Windows, however.)


So this security feature should be something that gets added to the
windows version. But otherwise the security of the user's account that
has a .pgpass file is the decider on whether it is vulnerable.


--

Shane Ambler
pgSQL@007Marketing.com

Get Sheeky @ http://Sheeky.Biz

pgsql-general by date:

Previous
From: Shane Ambler
Date:
Subject: Re: Predicted lifespan of different PostgreSQL branches
Next
From: "Joris Dobbelsteen"
Date:
Subject: Re: counting query