Re: .pgpass and root: a problem
| От | Joshua D. Drake |
|---|---|
| Тема | Re: .pgpass and root: a problem |
| Дата | |
| Msg-id | 5111550E.70306@commandprompt.com обсуждение исходный текст |
| Ответ на | Re: .pgpass and root: a problem (Scott Marlowe <scott.marlowe@gmail.com>) |
| Ответы |
Re: .pgpass and root: a problem
|
| Список | pgsql-general |
On 02/05/2013 10:44 AM, Scott Marlowe wrote: > > On Tue, Feb 5, 2013 at 10:15 AM, Shaun Thomas <sthomas@optionshouse.com> wrote: >> Hey folks, >> >> We're wanting to implement a more secure password policy, and so have >> considered switching to LDAP/Active Directory for passwords. Normally, this >> would be fine, but for two things: >> >> 1. Tons of our devs use .pgpass files to connect everywhere. >> 2. Several devs have root access to various environments. > > Stop. If you want secure setups you don't hand out root access to > lots of people. Trying to then make it secure is like closing the > barn door after the horse has left. I think this is a naive response Scott although I must admit it was my gut reaction as well. The reality is we shouldn't store a plain text password. At a minimum it should be hashed. That part of the problem is really on us, regardless if it is a bad idea to hand out root. Now it is true that if they can't trust their devs with this problem, those devs shouldn't have root but that is a business policy problem whereas ours is an actual security issue. Sincerely, Joshua D. Drake -- Command Prompt, Inc. - http://www.commandprompt.com/ PostgreSQL Support, Training, Professional Services and Development High Availability, Oracle Conversion, Postgres-XC @cmdpromptinc - 509-416-6579
В списке pgsql-general по дате отправления: