Re: New pg_pwd patch and stuff
| От | Bruce Momjian |
|---|---|
| Тема | Re: New pg_pwd patch and stuff |
| Дата | |
| Msg-id | 199801112153.QAA13476@candle.pha.pa.us обсуждение исходный текст |
| Ответы |
Re: New pg_pwd patch and stuff
Re: [HACKERS] Re: New pg_pwd patch and stuff |
| Список | pgsql-hackers |
> > It has to be this way, otherwise it would be possible for user to see > > other users' passwords in pg_user. I spoke to you all about this when I > > first started. I was going to make a separate relation (pg_password), > > but I was convinced not to since there is a one to one correlation > > between users and passwords. At this point I sent email to the effect > > that pg_user could no longer be readable by the group 'public'. If it > > was readable by public, then the passwords would have to be encrypted in > > pg_user. If this is the case, then the frontends will have to pass an > > unencrypted password over the network. Again this degrades the security > > of PostgreSQL. > > > > The real solution to this problem would be to create a pg_privileges > > relation, overhauling the privileges system entirely. Then we could > > just restrict access to the password column of pg_user. However, I > > would suggest that the entire pg_privileges table be cached in shared > > memory to speed things up. I am unsure if the catalog table are cached > > in shared memory or not (They really should be, but then this would > > probably require some logging to files in case of system crash). > > > > In the meantime, there should really be nothing that the average user > > will need from pg_user. The '\d' is the only problem I have encountered > > thus far, and I hope to solve that problem soon. Therefore, if you > > really, really need something from pg_user, then you need to have select > > privileges given to you explicitly, or you could explicitly give them to > > public. This would, however, give public the ability to see user > > passwords (If you are using, HBA only, then just give public the select > > over pg_user). > > Wait, let me just get this straight here...pg_user is, by default, > unreadable by the general public, but is changeable just using a simple > grant/revoke?? > > If so, I'm confused as to why this is a bad thing? Bruce? Sort > of seems to me that its like the TCP/Unix Socket argument...go to the most > secure first, then let the one setting it up downgrade as they feel is > appropriate...no? OK, general question. Does pg_user need to be readable? Do non-postgres users want to see who owns each table? I don't know. -- Bruce Momjian maillist@candle.pha.pa.us
В списке pgsql-hackers по дате отправления: