Re: [INTERFACES] pg_pwd

Tom Lane wrote:
> 
> "Sergio A. Kessler" <ser@perio.unlp.edu.ar> writes:
> > what is the funcionality of the file pg_pwd in $PG_DATA ?
> > (no, there is _nothing_ in the docs)
> 
> That's cause you don't need to know ;-)
> 
> Seriously, it's a flat-file copy of pg_shadow, used by the postmaster
> to do password verification.  (The postmaster can't look directly at
> pg_shadow because it cannot participate in database operations.)
> See doc/TODO.detail/pg_shadow.

where ? can you post an absolute url ?

> > and why is world =writable & readable= ?
> > (hey, everybody, wanna know my passwd ?)
> 
> It's not really a security hole because it lives inside a directory
> that's mode 700 (unless you tampered with the default permissions
> setup). 

in rh6.1 /var/lib/pgsql is 755 (and no, I haven't changed anything)
can you spell "2_KM_DIAMETER_HOLE" ?

> However, I agree it oughta be changed anyway.

having a text file with usernames and *passwords in clear*
world readable & writable make me feel nervous, pretty nervous.
indeed the root user (who isn't the dba) can know anything too
easy...

-- 
-=  Sergio A. Kessler     ==    http://sak.org.ar  =-
You can have it soon, cheap and working; choose *two*.