Re: [HACKERS] Updated TODO list
Bruce Momjian <maillist@candle.pha.pa.us>
From: Bruce Momjian <maillist@candle.pha.pa.us>
To: John Ridout <johnridout@ctasystems.co.uk>
Cc: "'pgsql-hackers'" <pgsql-hackers@postgreSQL.org>
Date: 1999-07-12T13:23:25Z
Lists: pgsql-hackers
> I can "select * from pgshadow" as the database owner. Are you saying you can do this as a database owner, not the postgres user? I just tried it, and was not able to see the table contents: xx=> select * from pg_shadow; ERROR: pg_shadow: Permission denied. Yes, only the installation owner can do that. No way to do password stuff unless the 'postgres' user can access the passwords, righ? Is that a problem? > > -----Original Message----- > > From: owner-pgsql-hackers@postgreSQL.org > > [mailto:owner-pgsql-hackers@postgreSQL.org]On Behalf Of Bruce Momjian > > Sent: 09 July 1999 17:41 > > To: Hannu Krosing > > Cc: Gene Sokolov; PostgreSQL-development > > Subject: Re: [HACKERS] Updated TODO list > > > > > > > > But we don't, do we? I thougth they were hashed. > > > > > > do > > > select * from pg_shadow; > > > > > > I think that it was agreed that it is better when they > > can't bw snatched > > > from > > > network than to have them hashed in db. > > > Using currently known technologies we must either either know the > > > original password > > > and use challenge-response on net, or else use plaintext > > (or equivalent) > > > on the wire. > > > > Yes, I remember now, we hash them with random salt before sending them > > to the client, and they are only visible to the postgres user. > > > > -- > > Bruce Momjian | http://www.op.net/~candle > > maillist@candle.pha.pa.us | (610) 853-3000 > > + If your life is a hard drive, | 830 Blythe Avenue > > + Christ can be your backup. | Drexel Hill, > > Pennsylvania 19026 > > > > > > -- Bruce Momjian | http://www.op.net/~candle maillist@candle.pha.pa.us | (610) 853-3000 + If your life is a hard drive, | 830 Blythe Avenue + Christ can be your backup. | Drexel Hill, Pennsylvania 19026