| From: | Chris Browne <cbbrowne(at)acm(dot)org> |
|---|---|
| To: | pgsql-admin(at)postgresql(dot)org |
| Subject: | Re: Security Concerns over User 'postgres' |
| Date: | 2006-09-22 22:46:32 |
| Message-ID: | 607izvjz93.fsf@dba2.int.libertyrms.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-admin |
lvaningen(at)esncc(dot)com ("Lane Van Ingen") writes:
> Looked at /etc/shadow, and (in fact) it doesn't have a password, so I was
> wrong about that.
>
> Tried to use the login command to login directly log into postgres, but for
> some reason could not do that on RHEL 4.0 either. So, like you said, I am
> not certain that I have a vulnerability here at all, other than su-ing from
> root.
I'm certain; you do NOT have a vulnerability there, if there is no
password in /etc/shadow. (Well, barring stupidity like dramatic
misconfiguration of PAM to accept logins without passwords :-).)
--
(format nil "~S(at)~S" "cbbrowne" "cbbrowne.com")
http://linuxdatabases.info/info/finances.html
Rules of the Evil Overlord #10. "I will not interrogate my enemies in
the inner sanctum -- a small hotel well outside my borders will work
just as well." <http://www.eviloverlord.com/>
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Ray Stell | 2006-09-23 17:20:59 | Re: COPY FROM command v8.1.4 |
| Previous Message | Raul Retamozo | 2006-09-22 22:12:56 | best OS and HW for postgreSQL |