Re: user authentication crash by Erik Luke (20-08-2001;

From: "Thomas Yackel" <yackelt(at)ohsu(dot)edu>
To: <eluke(at)cs(dot)montana(dot)edu>, <justin(at)postgresql(dot)org>, <pgsql-bugs(at)postgresql(dot)org>, <pgsql-hackers(at)postgresql(dot)org>, <tgl(at)sss(dot)pgh(dot)pa(dot)us>
Subject: Re: user authentication crash by Erik Luke (20-08-2001;
Date: 2001-11-01 06:42:16
Message-ID: sbe07e58.037@gwsmtp.ohsu.edu
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-bugs pgsql-hackers

A few clarifications so you have more to go on:

to create the problem, we used the sql command with the "';" following the [CR] at the end of the typed characters as shown here:

alter user yyyyy with password 'xxxxxx
';

then we attempted to log in as that user from another users' local session using the psql -username=yyyyy command.

none of the users had a 'validuntil' date (it was null). But setting one didn't help either.

we are using 7.1.3 on a solaris machine. We noticed the problem when we examined the pg_pwd file and saw that the validuntil date we entered was preceded what looked like an early line wrap.

I was quite surprised that such a small input error could cause the backend to shutdown. Should psql remove [CR]s that are contained within ''? (at least for this command)?

Thanks for looking into this problem.

Tom

>>> Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> 10/31/01 21:43 PM >>>
"Thomas Yackel" <yackelt(at)ohsu(dot)edu> writes:
> I got the error: "Bad abstime external representation ''" when attempted to start psql as a particular user and the postmaster shutdown.

> The problem, we discovered, is that this user had a carriage return contained within his password. Changing the password to remove the CR avoided the system shutdown.

Hmm. I can see how a linefeed in a password would create a problem (it
breaks the line-oriented formatting of the pg_pwd file). However, I
can't reproduce a postmaster crash here. Either I'm not testing the
right combination of circumstances, or current sources are more robust
about this tha 7.1. That's not unlikely given that Bruce rewrote the
password-file-parsing code a couple months ago.

In any case it seems like it'd be a good idea to forbid nonprinting
characters in passwords. Comments anyone?

regards, tom lane

Browse pgsql-bugs by date

  From Date Subject
Next Message Cyril VELTER 2001-11-01 16:40:46 Union View Optimization
Previous Message Tom Lane 2001-11-01 05:28:25 Re: user authentication crash by Erik Luke (20-08-2001; 1.3kb)

Browse pgsql-hackers by date

  From Date Subject
Next Message Klaus Reger 2001-11-01 07:02:01 import/export of large objects on server-side
Previous Message Tom Lane 2001-11-01 06:18:09 Re: Warnings in CVS build