Re: BUG #14600: Passwords in user mappings leaked by psql \deu+ command
Feike Steenbergen <feikesteenbergen@gmail.com>
From: Feike Steenbergen <feikesteenbergen@gmail.com>
To: andrew.wheelwright@familysearch.org
Cc: PostgreSQL mailing lists <pgsql-bugs@postgresql.org>
Date: 2017-03-29T14:54:03Z
Lists: pgsql-bugs
Commits
Same data as JSON:
GET /api/v1/messages/:b64id/commits
the thread's linked commits as JSON, with link sources.
API reference →
-
Revise the permission checking on user mapping DDL commands.
- 93a6be63a55a 8.4.0 cited
> If a standard user logs into Alice using command line client, psql, and runs > the command \deu+, the password for both the standard_user and the > power_user will be visible in the displayed user mapping. \deu+ queries pg_catalog.pg_user_mappings, which itself is a view on top of pg_user_mapping. The permissions on pg_user_mapping (the table) seem sane, they do not allow you to see the values. The permissions on pg_user_mappings (the view) are too wide it seems. you could - for your current environment - use the following workaround on all your databases: REVOKE SELECT ON pg_user_mappings FROM public; I do think this needs a fix however, these credentials should not be visible to public. regards, Feike