Re: Have an encrypted pgpass file
| От | Isaac Morland |
|---|---|
| Тема | Re: Have an encrypted pgpass file |
| Дата | |
| Msg-id | CAMsGm5e6_obb7dX4CPow6WYfWSAN-tpdS7nyc6CogfZZ+rSfrw@mail.gmail.com обсуждение исходный текст |
| Ответ на | Re: Have an encrypted pgpass file ("Tels" <nospam-pg-abuse@bloodgate.com>) |
| Ответы |
Re: Have an encrypted pgpass file
|
| Список | pgsql-hackers |
On 20 July 2018 at 17:22, Tels <nospam-pg-abuse@bloodgate.com> wrote:
Moin,
> It would also provide a *very* fertile source of shell-script-injection
> vulnerabilities. (Whaddya mean, you tried to use a user name with a
> quote mark in it?)
Little Bobby Tables, we call him. :)
I'm also concerned that that would let anybody who could alter the
environment then let arbitrary code be run as user postgres. Is this
something that poses a risk in addition to the current situation?
If I understand the proposal correctly, the pgpass program would run on the client, invoked by libpq when a password is needed for a connection. So the risk relates to strange things happening on the client when the client attempts to connect as a strangely-named user or to a strangely-named database or host, not to being able to break into the server.
В списке pgsql-hackers по дате отправления: