Re: Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords

Paul Tillotson <pntil@shentel.net> writes:
> Of course, someone is asking to be 0wn3d if they set up PHPBB to connect 
> as superuser.  However, given the amount of work done to prevent 
> foot-shooting in other areas (e.g., server refuses to run as root), it 
> seems inconsistent that using md5 as the connection method opens the 
> server to any attacker who knows the hashes.

Hm?  Using md5 is certainly not any *more* dangerous than any of the
other possible password-based methods.

> *Interesting mental exercise: if all that your SQL injection allows is 
> to add conditions to a WHERE clause evaluated as superuser, how does one 
> execute arbitrary code?  I can't think of how to do it offhand.

If I found the correct reference:
http://www.phpbb.com/phpBB/viewtopic.php?f=14&t=185180
then this wasn't any more circumscribed than any other SQL injection
attack.  Consider injecting something like

... AND FALSE; CREATE USER trojan WITH PASSWORD 'trivial'; SELECT ... repeat original query text ...

It's worth pointing out also that adding a per-user-entry random salt
to the password protocol is not some kind of penalty-free magic bullet.
In particular it implies information leakage: I can tell from the
password challenge (or lack of one) whether the username I have offered
is valid.  So rather than claiming "this is unconditionally a good thing
to do", you must actually provide a credible scenario that makes the
threat you are defending against more dangerous than the sorts of new
threats we'll be exposed to.  So far I haven't seen a very credible
threat here.
        regards, tom lane