Re: How to deny user changing his own password?

From: Alvaro Herrera <alvherre(at)dcc(dot)uchile(dot)cl>
To: "Trewern, Ben" <Ben(dot)Trewern(at)mowlem(dot)com>
Cc: 'Jan Wieck' <JanWieck(at)Yahoo(dot)com>, adeon <adeon(at)tlen(dot)pl>, pgsql-general(at)postgresql(dot)org
Subject: Re: How to deny user changing his own password?
Date: 2003-05-29 20:54:24
Message-ID: 20030529205424.GG2878@dcc.uchile.cl
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-general

On Thu, May 29, 2003 at 05:36:04PM +0100, Trewern, Ben wrote:
> Now I think about this it would be useful: I have an Access database which
> connects to postgres and the password is saved in the access frontend. If
> someone (not sure how!) runs ALTER USER ..... WITH PASSWORD '....'; via the
> frontend they could disrupt the connection to the postgres backend. I'm
> sure a similar situation could happen with PHP or similar as you often don't
> use the postgres security features to secure your application.

Not sure with Access, but in general when running something backed by a
database you should not just allow arbitrary SQL reach the database.
There should be no way for any user of the application to execute an
ALTER USER query.

--
Alvaro Herrera (<alvherre[a]dcc.uchile.cl>)
"Before you were born your parents weren't as boring as they are now. They
got that way paying your bills, cleaning up your room and listening to you
tell them how idealistic you are." -- Charles J. Sykes' advice to teenagers

In response to

Browse pgsql-general by date

  From Date Subject
Next Message scott.marlowe 2003-05-29 20:56:16 Re: Postmaster only takes 4-5% CPU
Previous Message scott.marlowe 2003-05-29 20:31:11 Re: FW: Blocking access to the database??