| From: | Bruce Momjian <maillist(at)candle(dot)pha(dot)pa(dot)us> |
|---|---|
| To: | Andreas(dot)Zeugswetter(at)telecom(dot)at (Zeugswetter Andreas SARZ) |
| Cc: | jwieck(at)debis(dot)com, pgsql-hackers(at)hub(dot)org |
| Subject: | Re: AW: [HACKERS] Solution to the pg_user passwd problem !?? (c) |
| Date: | 1998-02-19 15:07:44 |
| Message-ID: | 199802191507.KAA19472@candle.pha.pa.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Well, seeing as Jan is one of the rewrite/rules system experts, let's
ask him.
>
> Okay :-(
>
> But: I think this is an error in the rewrite system. I think this query
> should get rewritten !
> Can we fix this ?
>
> Andreas
> > ----------
> > Von: Jan Wieck[SMTP:jwieck(at)debis(dot)com]
> > Antwort an: Jan Wieck
> > Gesendet: Donnerstag, 19. Februar 1998 15:53
> > An: Zeugswetter Andreas SARZ
> > Cc: pgsql-hackers(at)hub(dot)org
> > Betreff: Re: [HACKERS] Solution to the pg_user passwd problem !?? (c)
> >
> > >
> > > Hi all,
> > >
> > > What about:
> > > grant select on pg_user to public;
> > > create rule pg_user_hide_pw as on
> > > select to pg_user.passwd
> > > do instead select '********' as passwd;
> > >
> > > Then if I do:
> > > select * from pg_user;
> > > usename |usesysid|usecreatedb|usetrace|usesuper|usecatupd|passwd
> > |valuntil
> > >
> > --------+--------+-----------+--------+--------+---------+--------+-------
> > --
> > > -------------------
> > > postgres| 6|t |t |t |t |********|Sat
> > Jan
> > > 31 07:00:00 2037 NFT
> > > zeus | 60|t |t |f |t |********|
> > > (2 rows)
> > >
> > > Also the \d works for all users !
> > >
> > > Only "disadvantage" is that noone can read passwd without first dropping
> > the
> > > rule pg_user_hide_pw,
> > > I consider this a feature though ;-)
> > >
> > > Since the userauthentication bypasses the rewrite mechanism the logins,
> > > alter user .. and others do work !
> > >
> > > Can all of you try to crack this ?
> >
> > Cracked!
> >
> > create table get_passwds (usename name, passwd text);
> > insert into get_passwds select usename, passwd from pg_user;
> > select * from get_passwds;
> > usename|passwd
> > -------+------
> > pgsql |
> > wieck |test
> > (2 rows)
> >
> >
> >
> > Sorry, Jan
> >
> > --
> >
> > #======================================================================#
> > # It's easier to get forgiveness for being wrong than for being right. #
> > # Let's break this rule - forgive me. #
> > #======================================== jwieck(at)debis(dot)com (Jan Wieck) #
> >
> >
> >
>
>
--
Bruce Momjian
maillist(at)candle(dot)pha(dot)pa(dot)us
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Zeugswetter Andreas SARZ | 1998-02-19 15:08:41 | AW: [HACKERS] Solution to the pg_user passwd problem !?? (c) |
| Previous Message | Bruce Momjian | 1998-02-19 14:59:52 | Running pgindent |