Dave Page wrote:

-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Andrew Dunstan
Sent: 19 July 2006 13:55
To: Hiroshi Saito
Cc: Thomas Bley; pgsql-hackers@postgresql.org
Subject: Re: [HACKERS] password is no required, authentication is overridden

I don't understand what you are saying here. The problem is that it is not clear (at least to the original user, and maybe to others) that when pgadmin3 saves a password it saves it where it will be found by all libpq clients, not just by pgadmin3.

From: http://www.pgadmin.org/docs/1.4/connect.html

If you select "store password", pgAdmin stores passwords you enter in
the ~/.pgpass file under *nix or %APPDATA%\postgresql\pgpass.conf under
Win32 for later reuse. For details, see pgpass documentation. It will be
used for all libpq based tools. If you want the password removed, you
can select the server's properties and uncheck the selection any time.

OK, although I am not sure I think that is sensible - it is at least documented. Does the dialog box also carry similar info?

How is that optimal? If pgadmin3 were to save it in a non-standard location and then set PGPASSFILE to point to that location that would solve the problem. Or maybe it should offer a choice. Either way, how would a malicious user affect that? PGPASSFILE only contains a location, not the contents of the file, so exposing it is not any great security issue, as long as the location is itself protected.

We have no sensible way of determining whether or not the libpq we are
running with supports PGPASSFILE.

Well, this answer is better. The lack of an API to tell you the library version is possibly worrying, though.



---------------------------(end of broadcast)---------------------------
TIP 1: if posting/reading through Usenet, please send an appropriate
      subscribe-nomail command to [EMAIL PROTECTED] so that your
      message can get through to the mailing list cleanly

Reply via email to