Thread: Replacing MD5 hash in pg_auth...
Hello, Is it correct to assume that if a user has write permission to \data\global\pg_auth on a Win32 machine, the superuser's MD5 hash can be replaced with one of a known origin in order to own the DB? I do practice as noted in the Win FAQ, just want to make sure I am not missing something: "If you are running PostgreSQL on a multi-user system, you should remove the permissions from all non-administrative users from the PostgreSQL directories. No user ever needs permissions on the PostgreSQL files - all communication is done through the libpq connection. Direct access to data files can lead to information disclosure or system instability!" Thanks in advance for any input, Peter van der Maas
On Apr 14, 2006, at 6:47 PM, Peter van der Maas wrote: > Hello, > > Is it correct to assume that if a user has write permission to > \data\global\pg_auth on a Win32 machine, the superuser's MD5 hash > can be > replaced with one of a known origin in order to own the DB? Probably. It'd be much easier to edit pg_hba.conf, though. If anyone other than postgres has read permission, let alone write permission, to /usr/local/pgsql/data or equivalent, or anywhere underneath there, you're on very shaky security grounds. > > I do practice as noted in the Win FAQ, just want to make sure I am not > missing something: > > "If you are running PostgreSQL on a multi-user system, you should > remove > the permissions from all non-administrative users from the PostgreSQL > directories. No user ever needs permissions on the PostgreSQL files - > all communication is done through the libpq connection. Direct > access to > data files can lead to information disclosure or system instability!" As in "We 0wn3rz y0uz database". Cheers, Steve
Steve Atkins <steve@blighty.com> writes:
> On Apr 14, 2006, at 6:47 PM, Peter van der Maas wrote:
>> Is it correct to assume that if a user has write permission to
>> \data\global\pg_auth on a Win32 machine, the superuser's MD5 hash
>> can be replaced with one of a known origin in order to own the DB?
> Probably. It'd be much easier to edit pg_hba.conf, though.
Actually, if you have write permission on the $PGDATA tree, you
*already* own the DB for every practical purpose. Focusing on passwords
is silly.
regards, tom lane
On 2006-04-15, "Peter van der Maas" <peter@abitogroup.com> wrote: > Hello, > > Is it correct to assume that if a user has write permission to > \data\global\pg_auth on a Win32 machine, the superuser's MD5 hash can be > replaced with one of a known origin in order to own the DB? It's worse than that. If you can _read_ pg_auth, then you can log in as any user who has an MD5 password provided that pg_hba.conf allows md5 auth - the values stored in pg_auth (and pg_shadow) are password equivalents for the purposes of md5 auth. -- Andrew, Supernews http://www.supernews.com - individual and corporate NNTP services