AW: [HACKERS] Solution to the pg_user passwd problem !?? (c)
Zeugswetter Andreas <andreas.zeugswetter@telecom.at>
From: Zeugswetter Andreas SARZ <Andreas.Zeugswetter@telecom.at>
To: "'Jan Wieck'" <jwieck@debis.com>
Cc: "'pgsql-hackers@hub.org'" <pgsql-hackers@hub.org>
Date: 1998-02-19T15:08:41Z
Lists: pgsql-hackers
The command copy pg_user to stdout; will also show the cleartext password and I think it is hard to do a rewrite here, since this would also affect the pg_dump ? * Teardrops keep falling on my head ... * :-( Andreas > ---------- > Von: Jan Wieck[SMTP:jwieck@debis.com] > Antwort an: Jan Wieck > Gesendet: Donnerstag, 19. Februar 1998 15:53 > An: Zeugswetter Andreas SARZ > Cc: pgsql-hackers@hub.org > Betreff: Re: [HACKERS] Solution to the pg_user passwd problem !?? (c) > > > > > Hi all, > > > > What about: > > grant select on pg_user to public; > > create rule pg_user_hide_pw as on > > select to pg_user.passwd > > do instead select '********' as passwd; > > > > Then if I do: > > select * from pg_user; > > usename |usesysid|usecreatedb|usetrace|usesuper|usecatupd|passwd > |valuntil > > > --------+--------+-----------+--------+--------+---------+--------+------- > -- > > ------------------- > > postgres| 6|t |t |t |t |********|Sat > Jan > > 31 07:00:00 2037 NFT > > zeus | 60|t |t |f |t |********| > > (2 rows) > > > > Also the \d works for all users ! > > > > Only "disadvantage" is that noone can read passwd without first dropping > the > > rule pg_user_hide_pw, > > I consider this a feature though ;-) > > > > Since the userauthentication bypasses the rewrite mechanism the logins, > > alter user .. and others do work ! > > > > Can all of you try to crack this ? > > Cracked! > > create table get_passwds (usename name, passwd text); > insert into get_passwds select usename, passwd from pg_user; > select * from get_passwds; > usename|passwd > -------+------ > pgsql | > wieck |test > (2 rows) > > > > Sorry, Jan > > -- > > #======================================================================# > # It's easier to get forgiveness for being wrong than for being right. # > # Let's break this rule - forgive me. # > #======================================== jwieck@debis.com (Jan Wieck) # > > >