Re: pg_shadow / pg_user

Hi Chris,

Thanks for your reply.
That's very good news.
I am using Pg 7.0 at home for research and dev.
It's an old box. At work we are using 7.1.3

Cheers
Rudi.

----- Original Message -----
From: "Christopher Kings-Lynne" <chriskl(at)familyhealth(dot)com(dot)au>
To: "Rudi" <rudi(at)oasis(dot)net(dot)au>; <pgsql-sql(at)postgresql(dot)org>
Sent: Thursday, February 07, 2002 12:05 PM
Subject: RE: [SQL] pg_shadow / pg_user

> Hi Rudi,
>
> In the newly-released Postgres 7.2, the passwords are now MD5 encrypted
> (IIRC). I highly suggest upgrading to the new version.
>
> Chris
>
> -----Original Message-----
> From: pgsql-sql-owner(at)postgresql(dot)org
> [mailto:pgsql-sql-owner(at)postgresql(dot)org]On Behalf Of Rudi
> Sent: Thursday, 7 February 2002 9:51 AM
> To: pgsql-sql(at)postgresql(dot)org
> Subject: [SQL] pg_shadow / pg_user
>
>
> Hi friends,
>
> I've been learning about security using Pg lately.
> Up until last night I thought system user passwords were stored safely
away
> in pg_user.
> So far I haven't been able to get any passwords out only '*******'.
> Then last night was observing each system table and found that pg_shadow
> stores user passwords in clear text.
> ??
> pg_shadow = clear text password
> pg_user = hidden password
>
> I guess this means if an intruder gets an appropriate account on the box
the
> can view all passwords.
> I had assumed that system passwords were stored hidden from all eye balls.
> Sort of like apache storing http passwords in binary form in a db.
>
> Is this how it is ?
>
> If so I was thinking I like to know if someone tries or succeeds in
querying
> the pg_shadow table.
> I thought maybe to increase the postmaster debug level so that all sql
> queries are logged.
> Then write a cron job to check this log and email me if it is detected
that
> a user is attempted or did query
> the pg_shadow table.
>
> How does this sound ?
> Am I totaly on track ?
>
> Thank for your time and attention
> Kind regards
> Rudi.