Home > mailing lists

Re: psql and security - Mailing list pgsql-hackers

From	Tom Lane
Subject	Re: psql and security
Date	September 21, 2001 10:29:52
Msg-id	28061.1001082578@sss.pgh.pa.us Whole thread Raw
In response to	psql and security (Tatsuo Ishii <t-ishii@sra.co.jp>)
Responses	Re: psql and security
List	pgsql-hackers

Tree view

Tatsuo Ishii <t-ishii@sra.co.jp> writes:
> As you can see, psql reconnect as any user if the password is same as
> foo. Of course this is due to the careless password setting, but I
> think it's better to prompt ANY TIME the user tries to switch to
> another user. Comments?

Yeah, I agree.  Looks like a simple change in dbconnect():
   /*    * Use old password if no new one given (if you didn't have an old    * one, fine)    */   if (!pwparam &&
oldconn)      pwparam = PQpass(oldconn);
 

to
   /*    * Use old password (if any) if no new one given and we are    * reconnecting as same user    */   if (!pwparam
&&oldconn && PQuser(oldconn) && userparam &&       strcmp(PQuser(oldconn), userparam) == 0)       pwparam =
PQpass(oldconn);
        regards, tom lane

pgsql-hackers by date:

From: "Otto Hirr"
Date: 21 September 2001, 10:29:23
Subject: Re: cvsup trouble - ODBC blown away !?!?

From: Tom Lane
Date: 21 September 2001, 10:46:53
Subject: Re: psql and security

Re: psql and security - Mailing list pgsql-hackers

Previous

Next