AW: [HACKERS] Solution to the pg_user passwd problem !?? (c)

Zeugswetter Andreas <andreas.zeugswetter@telecom.at>

From: Zeugswetter Andreas SARZ <Andreas.Zeugswetter@telecom.at>
To: "'Jan Wieck'" <jwieck@debis.com>
Cc: "'pgsql-hackers@hub.org'" <pgsql-hackers@hub.org>
Date: 1998-02-19T15:08:41Z
Lists: pgsql-hackers
The command 
copy pg_user to stdout;

will also show the cleartext password and I think it is hard to do a rewrite
here,
since this would also affect the pg_dump ?

* Teardrops keep falling on my head ... *  :-(

Andreas
> ----------
> Von: 	Jan Wieck[SMTP:jwieck@debis.com]
> Antwort an: 	Jan Wieck
> Gesendet: 	Donnerstag, 19. Februar 1998 15:53
> An: 	Zeugswetter Andreas SARZ
> Cc: 	pgsql-hackers@hub.org
> Betreff: 	Re: [HACKERS] Solution to the pg_user passwd problem !?? (c)
> 
> >
> > Hi all,
> >
> > What about:
> > grant select on pg_user to public;
> > create rule pg_user_hide_pw as on
> > select to pg_user.passwd
> > do instead select '********' as passwd;
> >
> > Then if I do:
> > select * from pg_user;
> > usename |usesysid|usecreatedb|usetrace|usesuper|usecatupd|passwd
> |valuntil
> >
> --------+--------+-----------+--------+--------+---------+--------+-------
> --
> > -------------------
> > postgres|       6|t          |t       |t       |t        |********|Sat
> Jan
> > 31 07:00:00 2037 NFT
> > zeus    |      60|t          |t       |f       |t        |********|
> > (2 rows)
> >
> > Also the \d works for all users !
> >
> > Only "disadvantage" is that noone can read passwd without first dropping
> the
> > rule pg_user_hide_pw,
> > I consider this a feature though ;-)
> >
> > Since the userauthentication bypasses the rewrite mechanism the logins,
> > alter user .. and others do work !
> >
> > Can all of you try to crack this ?
> 
>     Cracked!
> 
>     create table get_passwds (usename name, passwd text);
>     insert into get_passwds select usename, passwd from pg_user;
>     select * from get_passwds;
>     usename|passwd
>     -------+------
>     pgsql  |
>     wieck  |test
>     (2 rows)
> 
> 
> 
> Sorry, Jan
> 
> --
> 
> #======================================================================#
> # It's easier to get forgiveness for being wrong than for being right. #
> # Let's break this rule - forgive me.                                  #
> #======================================== jwieck@debis.com (Jan Wieck) #
> 
> 
>