Re: Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords

From: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
To: Paul Tillotson <pntil(at)shentel(dot)net>
Cc: Stephen Frost <sfrost(at)snowman(dot)net>, pgsql-hackers(at)postgresql(dot)org
Subject: Re: Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords
Date: 2005-04-21 04:13:50
Message-ID: 11085.1114056830@sss.pgh.pa.us
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

Paul Tillotson <pntil(at)shentel(dot)net> writes:
> Of course, someone is asking to be 0wn3d if they set up PHPBB to connect
> as superuser. However, given the amount of work done to prevent
> foot-shooting in other areas (e.g., server refuses to run as root), it
> seems inconsistent that using md5 as the connection method opens the
> server to any attacker who knows the hashes.

Hm? Using md5 is certainly not any *more* dangerous than any of the
other possible password-based methods.

> *Interesting mental exercise: if all that your SQL injection allows is
> to add conditions to a WHERE clause evaluated as superuser, how does one
> execute arbitrary code? I can't think of how to do it offhand.

If I found the correct reference:
http://www.phpbb.com/phpBB/viewtopic.php?f=14&t=185180
then this wasn't any more circumscribed than any other SQL injection
attack. Consider injecting something like

... AND FALSE; CREATE USER trojan WITH PASSWORD 'trivial'; SELECT ... repeat original query text ...

It's worth pointing out also that adding a per-user-entry random salt
to the password protocol is not some kind of penalty-free magic bullet.
In particular it implies information leakage: I can tell from the
password challenge (or lack of one) whether the username I have offered
is valid. So rather than claiming "this is unconditionally a good thing
to do", you must actually provide a credible scenario that makes the
threat you are defending against more dangerous than the sorts of new
threats we'll be exposed to. So far I haven't seen a very credible
threat here.

regards, tom lane

In response to

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message Jim C. Nasby 2005-04-21 04:36:57 Re: Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords
Previous Message Tom Lane 2005-04-21 03:23:05 Re: [COMMITTERS] pgsql: Install some slightly realistic cost estimation