Re: [HACKERS] psql and security
Patch applied. Thanks Tatsuo and Tom. Tatsuo Ishii [EMAIL PROTECTED] writes: As you can see, psql reconnect as any user if the password is same as foo. Of course this is due to the careless password setting, but I think it's better to prompt ANY TIME the user tries to switch to another user. Comments? Yeah, I agree. Looks like a simple change in dbconnect(): /* * Use old password if no new one given (if you didn't have an old * one, fine) */ if (!pwparam oldconn) pwparam = PQpass(oldconn); to /* * Use old password (if any) if no new one given and we are * reconnecting as same user */ if (!pwparam oldconn PQuser(oldconn) userparam strcmp(PQuser(oldconn), userparam) == 0) pwparam = PQpass(oldconn); regards, tom lane ---(end of broadcast)--- TIP 3: if posting/reading through Usenet, please send an appropriate subscribe-nomail command to [EMAIL PROTECTED] so that your message can get through to the mailing list cleanly -- Bruce Momjian| http://candle.pha.pa.us [EMAIL PROTECTED] | (610) 853-3000 + If your life is a hard drive, | 830 Blythe Avenue + Christ can be your backup.| Drexel Hill, Pennsylvania 19026 ---(end of broadcast)--- TIP 1: subscribe and unsubscribe commands go to [EMAIL PROTECTED]
Re: [HACKERS] psql and security
Tatsuo Ishii [EMAIL PROTECTED] writes: As you can see, psql reconnect as any user if the password is same as foo. Of course this is due to the careless password setting, but I think it's better to prompt ANY TIME the user tries to switch to another user. Comments? Yeah, I agree. Looks like a simple change in dbconnect(): /* * Use old password if no new one given (if you didn't have an old * one, fine) */ if (!pwparam oldconn) pwparam = PQpass(oldconn); to /* * Use old password (if any) if no new one given and we are * reconnecting as same user */ if (!pwparam oldconn PQuser(oldconn) userparam strcmp(PQuser(oldconn), userparam) == 0) pwparam = PQpass(oldconn); regards, tom lane ---(end of broadcast)--- TIP 3: if posting/reading through Usenet, please send an appropriate subscribe-nomail command to [EMAIL PROTECTED] so that your message can get through to the mailing list cleanly
Re: [HACKERS] psql and security
Tatsuo Ishii writes: As you can see, psql reconnect as any user if the password is same as foo. Of course this is due to the careless password setting, but I think it's better to prompt ANY TIME the user tries to switch to another user. I'm not sure. A few users have voiced concerns about this before, but we have no count of the users that might enjoy this convenience. ;-) Basically, the attack scenario here is that if you have a psql running and leave your terminal, someone else can come in and get access to any other database that you might have access to, without knowing your password. But given a running psql, figuring out the password isn't so hard (running a debugger or inducing a core dump would be likely options), and concluding that this password is valid for all databases is trivial since that's the default setup. -- Peter Eisentraut [EMAIL PROTECTED] http://funkturm.homeip.net/~peter ---(end of broadcast)--- TIP 3: if posting/reading through Usenet, please send an appropriate subscribe-nomail command to [EMAIL PROTECTED] so that your message can get through to the mailing list cleanly
Re: [HACKERS] psql and security
As you can see, psql reconnect as any user if the password is same as foo. Of course this is due to the careless password setting, but I think it's better to prompt ANY TIME the user tries to switch to another user. I'm not sure. A few users have voiced concerns about this before, but we have no count of the users that might enjoy this convenience. ;-) Basically, the attack scenario here is that if you have a psql running and leave your terminal, someone else can come in and get access to any other database that you might have access to, without knowing your password. But given a running psql, figuring out the password isn't so hard (running a debugger or inducing a core dump would be likely options), and concluding that this password is valid for all databases is trivial since that's the default setup. This feature was added to conveniently let an already connected user switch to another database. Imho you could distinguish the exact case at hand, where a new user was specified and prompt for a new password. Andreas ---(end of broadcast)--- TIP 2: you can get off all lists at once with the unregister command (send unregister YourEmailAddressHere to [EMAIL PROTECTED])
Re: [HACKERS] psql and security
Peter Eisentraut [EMAIL PROTECTED] writes: concluding that this password is valid for all databases is trivial since that's the default setup. No, I think you're missing the point --- we're concerned about reconnecting as a different user, not reconnecting to a different database. The issue is that psql will silently try to use user A's password to authenticate as user B. While one would hope that this fails, it doesn't seem like a good idea even to try it. regards, tom lane ---(end of broadcast)--- TIP 2: you can get off all lists at once with the unregister command (send unregister YourEmailAddressHere to [EMAIL PROTECTED])
Re: [HACKERS] psql and security
Tom Lane writes: No, I think you're missing the point --- we're concerned about reconnecting as a different user, not reconnecting to a different database. Oh, of course. I agree, in that case the password shouldn't be reused. -- Peter Eisentraut [EMAIL PROTECTED] http://funkturm.homeip.net/~peter ---(end of broadcast)--- TIP 1: subscribe and unsubscribe commands go to [EMAIL PROTECTED]
