Thread

  1. Re: New pg_pwd patch and stuff

    Bruce Momjian <maillist@candle.pha.pa.us> — 1998-01-11T21:53:27Z

    > > It has to be this way, otherwise it would be possible for user to see
    > > other users' passwords in pg_user.  I spoke to you all about this when I
    > > first started.  I was going to make a separate relation (pg_password),
    > > but I was convinced not to since there is a one to one correlation
    > > between users and passwords.  At this point I sent email to the effect
    > > that pg_user could no longer be readable by the group 'public'.  If it
    > > was readable by public, then the passwords would have to be encrypted in
    > > pg_user.  If this is the case, then the frontends will have to pass an
    > > unencrypted password over the network.  Again this degrades the security
    > > of PostgreSQL. 
    > > 
    > > The real solution to this problem would be to create a pg_privileges
    > > relation, overhauling the privileges system entirely.  Then we could
    > > just restrict access to the password column of pg_user.  However, I
    > > would suggest that the entire pg_privileges table be cached in shared
    > > memory to speed things up.  I am unsure if the catalog table are cached
    > > in shared memory or not (They really should be, but then this would
    > > probably require some logging to files in case of system crash). 
    > > 
    > > In the meantime, there should really be nothing that the average user
    > > will need from pg_user.  The '\d' is the only problem I have encountered
    > > thus far, and I hope to solve that problem soon.  Therefore, if you
    > > really, really need something from pg_user, then you need to have select
    > > privileges given to you explicitly, or you could explicitly give them to
    > > public.  This would, however, give public the ability to see user
    > > passwords (If you are using, HBA only, then just give public the select
    > > over pg_user). 
    > 
    > 	Wait, let me just get this straight here...pg_user is, by default,
    > unreadable by the general public, but is changeable just using a simple
    > grant/revoke??
    > 
    > 	If so, I'm confused as to why this is a bad thing?  Bruce?  Sort
    > of seems to me that its like the TCP/Unix Socket argument...go to the most
    > secure first, then let the one setting it up downgrade as they feel is
    > appropriate...no?
    
    OK, general question.  Does pg_user need to be readable?  Do
    non-postgres users want to see who owns each table?  I don't know.
    
    -- 
    Bruce Momjian
    maillist@candle.pha.pa.us