From: | The Hermit Hacker <scrappy(at)hub(dot)org> |
---|---|
To: | "Sverre H(dot) Huseby" <sverrehu(at)online(dot)no> |
Cc: | pgsql-hackers(at)postgresql(dot)org |
Subject: | Re: You're on SecurityFocus.com for the cleartext passwords. |
Date: | 2000-05-05 23:25:10 |
Message-ID: | Pine.BSF.4.21.0005052023320.56194-100000@thelab.hub.org |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-general pgsql-hackers |
On Sat, 6 May 2000, Sverre H. Huseby wrote:
> Don't know if you know this already, but since april 23, you've been
> on SecurityFocus.com for the cleartext passwords in pg_shadow:
>
> http://www.securityfocus.com/bid/1139
>
> I know it has been discussed at least a couple of times before, but in
> my opinion this is an issue that needs a solution.
>
> The problem with cleartext passwords is not just that root, postgres
> super user or anyone who has legally or illegally got access to the
> system can see the passwords a user uses to log in to PostgreSQL. The
> problem lies in the well known fact that we tend to use the same
> password several places, if not everywhere. With all the passwords
> needed these days, that is how it _has_ to be.
>
> The first PostgreSQL based site that gets cracked, will make headlines
> stating that passwords have got into the wrong hands. Do we (or you)
> want that?
You've lost me here ... the only person(s) that can get at those passwords
are those that have compromised the system already. Even if the passwords
*weren't* in cleartext, there is nothing that stops me from downloading
the data/* directory down to my computer and running pg_upgrade to "make
it my own", removing the passwords ...
Marc G. Fournier ICQ#7615664 IRC Nick: Scrappy
Systems Administrator @ hub.org
primary: scrappy(at)hub(dot)org secondary: scrappy(at){freebsd|postgresql}.org
From | Date | Subject | |
---|---|---|---|
Next Message | Alex Pilosov | 2000-05-05 23:39:15 | Re: You're on SecurityFocus.com for the cleartext passwords. |
Previous Message | Sverre H. Huseby | 2000-05-05 22:40:24 | You're on SecurityFocus.com for the cleartext passwords. |
From | Date | Subject | |
---|---|---|---|
Next Message | Alex Pilosov | 2000-05-05 23:39:15 | Re: You're on SecurityFocus.com for the cleartext passwords. |
Previous Message | Tom Lane | 2000-05-05 23:22:41 | Re: pg_group_name_index corrupt? |