Re: psql and security

Patch applied. Thanks Tatsuo and Tom.

> Tatsuo Ishii <t-ishii(at)sra(dot)co(dot)jp> writes:
> > As you can see, psql reconnect as any user if the password is same as
> > foo. Of course this is due to the careless password setting, but I
> > think it's better to prompt ANY TIME the user tries to switch to
> > another user. Comments?
>
> Yeah, I agree. Looks like a simple change in dbconnect():
>
> /*
> * Use old password if no new one given (if you didn't have an old
> * one, fine)
> */
> if (!pwparam && oldconn)
> pwparam = PQpass(oldconn);
>
> to
>
> /*
> * Use old password (if any) if no new one given and we are
> * reconnecting as same user
> */
> if (!pwparam && oldconn && PQuser(oldconn) && userparam &&
> strcmp(PQuser(oldconn), userparam) == 0)
> pwparam = PQpass(oldconn);
>
> regards, tom lane
>
> ---------------------------(end of broadcast)---------------------------
> TIP 3: if posting/reading through Usenet, please send an appropriate
> subscribe-nomail command to majordomo(at)postgresql(dot)org so that your
> message can get through to the mailing list cleanly
>

--
Bruce Momjian | http://candle.pha.pa.us
pgman(at)candle(dot)pha(dot)pa(dot)us | (610) 853-3000
+ If your life is a hard drive, | 830 Blythe Avenue
+ Christ can be your backup. | Drexel Hill, Pennsylvania 19026