> -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > Andrew Dunstan > Sent: 19 July 2006 13:55 > To: Hiroshi Saito > Cc: Thomas Bley; email@example.com > Subject: Re: [HACKERS] password is no required, > authentication is overridden > > > I don't understand what you are saying here. The problem is > that it is > not clear (at least to the original user, and maybe to > others) that when > pgadmin3 saves a password it saves it where it will be found by all > libpq clients, not just by pgadmin3.
From: http://www.pgadmin.org/docs/1.4/connect.html If you select "store password", pgAdmin stores passwords you enter in the ~/.pgpass file under *nix or %APPDATA%\postgresql\pgpass.conf under Win32 for later reuse. For details, see pgpass documentation. It will be used for all libpq based tools. If you want the password removed, you can select the server's properties and uncheck the selection any time. > How is that optimal? If pgadmin3 > were to save it in a non-standard location and then set PGPASSFILE to > point to that location that would solve the problem. Or maybe > it should > offer a choice. Either way, how would a malicious user affect that? > PGPASSFILE only contains a location, not the contents of the file, so > exposing it is not any great security issue, as long as the > location is > itself protected. We have no sensible way of determining whether or not the libpq we are running with supports PGPASSFILE. Regards, Dave. ---------------------------(end of broadcast)--------------------------- TIP 3: Have you checked our extensive FAQ? http://www.postgresql.org/docs/faq