From: | The Hermit Hacker <scrappy(at)hub(dot)org> |
---|---|
To: | Jan Wieck <jwieck(at)debis(dot)com> |
Cc: | Zeugswetter Andreas SARZ <Andreas(dot)Zeugswetter(at)telecom(dot)at>, pgsql-hackers(at)hub(dot)org |
Subject: | Re: [HACKERS] Solution to the pg_user passwd problem !?? (c) |
Date: | 1998-02-19 14:58:53 |
Message-ID: | Pine.NEB.3.95.980219095656.17102H-100000@hub.org |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
On Thu, 19 Feb 1998, Jan Wieck wrote:
> >
> > Hi all,
> >
> > What about:
> > grant select on pg_user to public;
> > create rule pg_user_hide_pw as on
> > select to pg_user.passwd
> > do instead select '********' as passwd;
> >
> > Then if I do:
> > select * from pg_user;
> > usename |usesysid|usecreatedb|usetrace|usesuper|usecatupd|passwd |valuntil
> > --------+--------+-----------+--------+--------+---------+--------+---------
> > -------------------
> > postgres| 6|t |t |t |t |********|Sat Jan
> > 31 07:00:00 2037 NFT
> > zeus | 60|t |t |f |t |********|
> > (2 rows)
> >
> > Also the \d works for all users !
> >
> > Only "disadvantage" is that noone can read passwd without first dropping the
> > rule pg_user_hide_pw,
> > I consider this a feature though ;-)
> >
> > Since the userauthentication bypasses the rewrite mechanism the logins,
> > alter user .. and others do work !
> >
> > Can all of you try to crack this ?
>
> Cracked!
>
> create table get_passwds (usename name, passwd text);
> insert into get_passwds select usename, passwd from pg_user;
> select * from get_passwds;
> usename|passwd
> -------+------
> pgsql |
> wieck |test
> (2 rows)
Okay, its moving in the right direction though...is there a flaw in the
rules system that allows this to get around this in this manner? Nice
thing about this is that it doesn't require any 'front end' rewrites,
which is a good thing...
IMHO, this is an acceptable solution to the problem for v6.3s
release...better then ripping out the code altogether...
From | Date | Subject | |
---|---|---|---|
Next Message | Bruce Momjian | 1998-02-19 14:59:52 | Running pgindent |
Previous Message | Zeugswetter Andreas SARZ | 1998-02-19 14:58:08 | AW: [HACKERS] Solution to the pg_user passwd problem !?? (c) |