| From: | Benjamin Adida <ben(at)mit(dot)edu> |
|---|---|
| To: | Philip Warner <pjw(at)rhyme(dot)com(dot)au>, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Vince Vielhaber <vev(at)michvhf(dot)com> |
| Cc: | Bruce Momjian <pgman(at)candle(dot)pha(dot)pa(dot)us>, Hannu Krosing <hannu(at)tm(dot)ee>, The Hermit Hacker <scrappy(at)hub(dot)org>, "Sverre H(dot) Huseby" <sverrehu(at)online(dot)no>, <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: So we're in agreement.... |
| Date: | 2000-05-08 15:59:10 |
| Message-ID: | B53C5C8E.3891%ben@mit.edu |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general pgsql-hackers |
on 5/8/00 11:38 AM, Philip Warner at pjw(at)rhyme(dot)com(dot)au wrote:
> I may well have missed something here, but it seems to me that the above
> scheme is also not particularly secure since someone who has managed to get
> access to the pg_shadow file will be able to fake a login by using a custom
> client. ie:
Yes, absolutely, but someone who gets the pg_shadow file can also alter the
database however he/she wants. The protocol defined prevents any knowledge
gained from sniffing, and prevents discovery of plaintext passwords from
looking at pg_shadow.
However, it does not prevent logins, as you mention, because once you have
the pg_shadow file, you've got everything anyways.
-Ben
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Tom Lane | 2000-05-08 16:02:30 | Re: So we're in agreement.... |
| Previous Message | Hiroshi Inoue | 2000-05-08 15:47:38 | RE: Recovering data from binary files? |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Tom Lane | 2000-05-08 16:02:30 | Re: So we're in agreement.... |
| Previous Message | Trond Eivind=?iso-8859-1?q?_Glomsr=F8d?= | 2000-05-08 15:47:46 | Re: Re: Ready to release? |