[HACKERS] how to keep/lock/ hide pg_hba.conf ?

2011-04-11 Thread john.cheng
Dear all:
I am ready to release a client/server software (in windows xp),sure it's
postgresql based application
but I have to hide the password for sensitive data.
I found that,if user modified the pg_hba.conf, modified the METHODfield
from md5 to password
then,user can find out the password by some the TCP/IP peep tool --such as
LayerViewer
(we don't plan to install SSL in server/client)
I think as a newbie as I know this bug,this solution should be released
already
Thanks for any advice/suggestion

Regards

john from Taiwan


--
View this message in context: 
http://postgresql.1045698.n5.nabble.com/how-to-keep-lock-hide-pg-hba-conf-tp4296068p4296068.html
Sent from the PostgreSQL - hackers mailing list archive at Nabble.com.

-- 
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers


Re: [HACKERS] how to keep/lock/ hide pg_hba.conf ?

2011-04-11 Thread Jaime Casanova
On Mon, Apr 11, 2011 at 9:35 AM, john.cheng neoart.hi...@msa.hinet.net wrote:
 I found that,if user modified the pg_hba.conf, modified the METHODfield
 from md5 to password

if it's a client/server app the user shouldn't have access to the
server, so how could him to make the change?

Also the directory in which the pg_hba.conf is is only
visible/writable for the database cluster owner and the system
administrator, so that means you're allowing your user to connect to
the server as one of those users? or is windows uncapable of enforce
those restrictions?

-- 
Jaime Casanova         www.2ndQuadrant.com
Professional PostgreSQL: Soporte y capacitación de PostgreSQL

-- 
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers


Re: [HACKERS] how to keep/lock/ hide pg_hba.conf ?

2011-04-11 Thread Peter Eisentraut
On mån, 2011-04-11 at 07:35 -0700, john.cheng wrote:
 I found that,if user modified the pg_hba.conf, modified the
 METHODfield from md5 to password then,user can find out the
 password by some the TCP/IP peep tool

Don't do that then.

Are you concerned that your users would do this?  Well, if you install
software on their machine, they can do whatever they want with it.
That's not an easy issue to solve.



-- 
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers