Re: Security Concerns over User 'postgres'

lvaningen@esncc.com ("Lane Van Ingen") writes:
> Looked at /etc/shadow, and (in fact) it doesn't have a password, so I was
> wrong about that.
>
> Tried to use the login command to login directly log into postgres, but for
> some reason could not do that on RHEL 4.0 either. So, like you said, I am
> not certain that I have a vulnerability here at all, other than su-ing from
> root.

I'm certain; you do NOT have a vulnerability there, if there is no
password in /etc/shadow.  (Well, barring stupidity like dramatic
misconfiguration of PAM to accept logins without passwords :-).)
--
(format nil "~S@~S" "cbbrowne" "cbbrowne.com")
http://linuxdatabases.info/info/finances.html
Rules of the Evil Overlord #10.  "I will not interrogate my enemies in
the inner sanctum  -- a small hotel well outside  my borders will work
just as well." <http://www.eviloverlord.com/>