Re: AW: [HACKERS] Solution to the pg_user passwd problem !?? (c)
| От | Bruce Momjian |
|---|---|
| Тема | Re: AW: [HACKERS] Solution to the pg_user passwd problem !?? (c) |
| Дата | |
| Msg-id | 199802191507.KAA19472@candle.pha.pa.us обсуждение исходный текст |
| Ответ на | AW: [HACKERS] Solution to the pg_user passwd problem !?? (c) (Zeugswetter Andreas SARZ <Andreas.Zeugswetter@telecom.at>) |
| Список | pgsql-hackers |
Well, seeing as Jan is one of the rewrite/rules system experts, let's ask him. > > Okay :-( > > But: I think this is an error in the rewrite system. I think this query > should get rewritten ! > Can we fix this ? > > Andreas > > ---------- > > Von: Jan Wieck[SMTP:jwieck@debis.com] > > Antwort an: Jan Wieck > > Gesendet: Donnerstag, 19. Februar 1998 15:53 > > An: Zeugswetter Andreas SARZ > > Cc: pgsql-hackers@hub.org > > Betreff: Re: [HACKERS] Solution to the pg_user passwd problem !?? (c) > > > > > > > > Hi all, > > > > > > What about: > > > grant select on pg_user to public; > > > create rule pg_user_hide_pw as on > > > select to pg_user.passwd > > > do instead select '********' as passwd; > > > > > > Then if I do: > > > select * from pg_user; > > > usename |usesysid|usecreatedb|usetrace|usesuper|usecatupd|passwd > > |valuntil > > > > > --------+--------+-----------+--------+--------+---------+--------+------- > > -- > > > ------------------- > > > postgres| 6|t |t |t |t |********|Sat > > Jan > > > 31 07:00:00 2037 NFT > > > zeus | 60|t |t |f |t |********| > > > (2 rows) > > > > > > Also the \d works for all users ! > > > > > > Only "disadvantage" is that noone can read passwd without first dropping > > the > > > rule pg_user_hide_pw, > > > I consider this a feature though ;-) > > > > > > Since the userauthentication bypasses the rewrite mechanism the logins, > > > alter user .. and others do work ! > > > > > > Can all of you try to crack this ? > > > > Cracked! > > > > create table get_passwds (usename name, passwd text); > > insert into get_passwds select usename, passwd from pg_user; > > select * from get_passwds; > > usename|passwd > > -------+------ > > pgsql | > > wieck |test > > (2 rows) > > > > > > > > Sorry, Jan > > > > -- > > > > #======================================================================# > > # It's easier to get forgiveness for being wrong than for being right. # > > # Let's break this rule - forgive me. # > > #======================================== jwieck@debis.com (Jan Wieck) # > > > > > > > > -- Bruce Momjian maillist@candle.pha.pa.us
В списке pgsql-hackers по дате отправления: