| From: | Andreas Pflug <pgadmin(at)pse-consulting(dot)de> |
|---|---|
| To: | Andrew Dunstan <andrew(at)dunslane(dot)net> |
| Cc: | Thomas Bley <thbley(at)gmail(dot)com>, pgsql-hackers(at)postgresql(dot)org |
| Subject: | Re: password is no required, authentication is overridden |
| Date: | 2006-07-19 12:35:42 |
| Message-ID: | 44BE271E.2010007@pse-consulting.de |
| Views: | Whole Thread | Raw Message | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Andrew Dunstan wrote:
>>
>
> It strikes me that this is actually a bad thing for pgadmin3 to be
> doing. It should use its own file, not the deafult location, at least
> if the libpq version is >= 8.1. We provided the PGPASSFILE environment
> setting just so programs like this could use alternative locations for
> the pgpass file. Otherwise, it seems to me we are violating the POLS,
> as in the case of this user who not unnaturally thought he had found a
> major security hole.
.pgpass is THE mechanism for storing libpq passwords, so what is wrong?
If the account is assumed insecure, the user shouldn't check "store
password" in pgadmin3.
That's a libpq issue, not a pgadmin3 issue.
Regards,
Andreas
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Andrew Dunstan | 2006-07-19 12:55:18 | Re: password is no required, authentication is overridden |
| Previous Message | Phil Frost | 2006-07-19 12:25:46 | Re: set search_path in dump output considered harmful |