Re: [HACKERS] Solution to the pg_user passwd problem !?? (c)
Bruce Momjian <maillist@candle.pha.pa.us>
From: Bruce Momjian <maillist@candle.pha.pa.us>
To: Andreas.Zeugswetter@telecom.at (Zeugswetter Andreas SARZ)
Cc: pgsql-hackers@hub.org
Date: 1998-02-19T14:50:32Z
Lists: pgsql-hackers
> > Hi all, > > What about: > grant select on pg_user to public; > create rule pg_user_hide_pw as on > select to pg_user.passwd > do instead select '********' as passwd; When I see this, the word 'genius' comes to mind. What a brilliantly elegant solution to the problem. > > Then if I do: > select * from pg_user; > usename |usesysid|usecreatedb|usetrace|usesuper|usecatupd|passwd |valuntil > --------+--------+-----------+--------+--------+---------+--------+--------- > ------------------- > postgres| 6|t |t |t |t |********|Sat Jan > 31 07:00:00 2037 NFT > zeus | 60|t |t |f |t |********| > (2 rows) > > Also the \d works for all users ! > > Only "disadvantage" is that noone can read passwd without first dropping the > rule pg_user_hide_pw, > I consider this a feature though ;-) > > Since the userauthentication bypasses the rewrite mechanism the logins, > alter user .. and others do work ! > > Can all of you try to crack this ? > > (c) Andreas Zeugswetter > > Copyright by Andreas Zeugswetter 1998 contributed to the postgresql project > ;-) > Wow, I am actually proud of this (so far, and hope it holds what I think it > does) > > > -- Bruce Momjian maillist@candle.pha.pa.us