Re: [HACKERS] Solution to the pg_user passwd problem !?? (c)
Marc G. Fournier <scrappy@hub.org>
From: The Hermit Hacker <scrappy@hub.org>
To: Jan Wieck <jwieck@debis.com>
Cc: Zeugswetter Andreas SARZ <Andreas.Zeugswetter@telecom.at>, pgsql-hackers@hub.org
Date: 1998-02-19T14:58:53Z
Lists: pgsql-hackers
On Thu, 19 Feb 1998, Jan Wieck wrote: > > > > Hi all, > > > > What about: > > grant select on pg_user to public; > > create rule pg_user_hide_pw as on > > select to pg_user.passwd > > do instead select '********' as passwd; > > > > Then if I do: > > select * from pg_user; > > usename |usesysid|usecreatedb|usetrace|usesuper|usecatupd|passwd |valuntil > > --------+--------+-----------+--------+--------+---------+--------+--------- > > ------------------- > > postgres| 6|t |t |t |t |********|Sat Jan > > 31 07:00:00 2037 NFT > > zeus | 60|t |t |f |t |********| > > (2 rows) > > > > Also the \d works for all users ! > > > > Only "disadvantage" is that noone can read passwd without first dropping the > > rule pg_user_hide_pw, > > I consider this a feature though ;-) > > > > Since the userauthentication bypasses the rewrite mechanism the logins, > > alter user .. and others do work ! > > > > Can all of you try to crack this ? > > Cracked! > > create table get_passwds (usename name, passwd text); > insert into get_passwds select usename, passwd from pg_user; > select * from get_passwds; > usename|passwd > -------+------ > pgsql | > wieck |test > (2 rows) Okay, its moving in the right direction though...is there a flaw in the rules system that allows this to get around this in this manner? Nice thing about this is that it doesn't require any 'front end' rewrites, which is a good thing... IMHO, this is an acceptable solution to the problem for v6.3s release...better then ripping out the code altogether...