Dave Page wrote:
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
Andrew Dunstan
Sent: 19 July 2006 13:55
To: Hiroshi Saito
Cc: Thomas Bley; pgsql-hackers@postgresql.org
Subject: Re: [HACKERS] password is no required,
authentication is overridden
I don't understand what you are saying here. The problem is
that it is
not clear (at least to the original user, and maybe to
others) that when
pgadmin3 saves a password it saves it where it will be found by all
libpq clients, not just by pgadmin3.
From: http://www.pgadmin.org/docs/1.4/connect.html
If you select "store password", pgAdmin stores passwords you enter in
the ~/.pgpass file under *nix or %APPDATA%\postgresql\pgpass.conf under
Win32 for later reuse. For details, see pgpass documentation. It will be
used for all libpq based tools. If you want the password removed, you
can select the server's properties and uncheck the selection any time.
OK, although I am not sure I think that is sensible - it is at least
documented. Does the dialog box also carry similar info?
How is that optimal? If pgadmin3
were to save it in a non-standard location and then set PGPASSFILE to
point to that location that would solve the problem. Or maybe
it should
offer a choice. Either way, how would a malicious user affect that?
PGPASSFILE only contains a location, not the contents of the file, so
exposing it is not any great security issue, as long as the
location is
itself protected.
We have no sensible way of determining whether or not the libpq we are
running with supports PGPASSFILE.
Well, this answer is better. The lack of an API to tell you the library
version is possibly worrying, though.
cheers
andrew
---------------------------(end of broadcast)---------------------------
TIP 1: if posting/reading through Usenet, please send an appropriate
subscribe-nomail command to [EMAIL PROTECTED] so that your
message can get through to the mailing list cleanly
