| From: | "Hiroshi Saito" <z-saito(at)guitar(dot)ocn(dot)ne(dot)jp> |
|---|---|
| To: | "Andrew Dunstan" <andrew(at)dunslane(dot)net>, "Thomas Bley" <thbley(at)gmail(dot)com> |
| Cc: | <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: password is no required, authentication is overridden |
| Date: | 2006-07-19 00:33:24 |
| Message-ID: | 029501c6aaca$f5322de0$24110dde@IBMC4B5932F74B |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
From: "Andrew Dunstan"
> Thomas Bley wrote:
>
>>
>>
>> + The .pgpass file will be automatically created if you're using
>> pgAdmin III with "store password" being enabled in the connection
>> settings.
>>
>
> It strikes me that this is actually a bad thing for pgadmin3 to be
> doing. It should use its own file, not the deafult location, at least if
> the libpq version is >= 8.1. We provided the PGPASSFILE environment
> setting just so programs like this could use alternative locations for
> the pgpass file. Otherwise, it seems to me we are violating the POLS, as
> in the case of this user who not unnaturally thought he had found a
> major security hole.
Ummm, The function which pgAdmin offers is the optimal in present. I do not
think that PGPASSFILE avoids the danger clearly. Probably, It is easy for the
user who is malicious in the change to find it. I consider it to be a problem that
the password is finally PlainText. Then, I made the proposal before. However,
It was indicated that deliberation is required again..... I want to consider a good
method again. Is there any proposal with good someone?
Regards,
Hiroshi Saito
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Marc G. Fournier | 2006-07-19 01:06:29 | Re: gBorg misbehaviour |
| Previous Message | Andreas Pflug | 2006-07-19 00:12:28 | Re: Progress bar updates |