Re: reuse sysids security hole?

From: Gavin Sherry <swm(at)linuxworld(dot)com(dot)au>
To: Andrew Dunstan <andrew(at)dunslane(dot)net>
Cc: Postgresql Hackers <pgsql-hackers(at)postgresql(dot)org>
Subject: Re: reuse sysids security hole?
Date: 2003-08-12 14:42:56
Message-ID: Pine.LNX.4.21.0308130039410.17517-100000@linuxworld.com.au
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

On Tue, 12 Aug 2003, Andrew Dunstan wrote:

>
> (Thought triggered by something Tom said the other day)
>
> Is this a security hole? Looks like one to me. Would it be better to use
> a sequence generator for sysids instead of using max+1 on the user
> table? Or else store the last sysid used somewhere?

This issue has been discussed before and it was agreed that since most
UNIX systems will behave in the same way, there's no way to know. Also, it
is not possible for a given database to know the max(sysid) of pg_user in
another database.

Thanks,

Gavin

In response to

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message Andrew Sullivan 2003-08-12 14:47:05 Re: Farewell
Previous Message Andrew Dunstan 2003-08-12 14:37:19 reuse sysids security hole?