Re: pgadmin security issue

Hi, Suren,

> //
>
> */PROBLEM 1/*
>
> /Even though we can restrict a user for couple of databases , the user 
> can disconnect from the current  session and edit the connection 
> properties/
>
> /SO this means he could remove the /DB restriction field/ “ datname IN 
> ('live_db', 'test_db') “  and reconnect and see all the other databases/
>
> / /
>
> /I recommend setting up a admin account at the time of installing 
> pgadmin and only by login in to the admin account of pgadmin should be 
> able to create, edit and view connection properties/
>
I think its not pgAdmin you should set permitions on. You should not 
grant your user to connect to databases you don't want him to (in 
postgreSQL).
>
> //
>
> / /
>
> */PROBLEM 2/*
>
> /When making a connection to the DB server with pgadmin if u use a 
> valid db name and a valid user login name/
>
> /Then pgadmin will allow access to the database with out checking the 
> password/
>
> /I mean if I type a wrong password BUT if the user account and the 
> database is valid I will still be able to access the database/
>
> / /
>
> /I’m new to postgres so I’m not sure if this is a real bug or if this 
> is a feature , Please update me ASAP/
>
> /Thanks/
>
> /Suren/
>
configure your  postgresql. In file pg_hba.conf that you have "md5" 
identification method, not "trust".

-- 
Julius Tuskenis