| From: | Florian Pflug <fgp(at)phlo(dot)org> |
|---|---|
| To: | Dave Page <dpage(at)pgadmin(dot)org> |
| Cc: | Craig Ringer <craig(at)postnewspapers(dot)com(dot)au>, Kevin Grittner <Kevin(dot)Grittner(at)wicourts(dot)gov>, magnus(at)hagander(dot)net, ashesh(dot)vashi(at)enterprisedb(dot)com, dharmendra(dot)goyal(at)enterprisedb(dot)com, sachin(dot)srivastava(at)enterprisedb(dot)com, pgsql-hackers(at)postgresql(dot)org |
| Subject: | Re: Minimising windows installer password confusion |
| Date: | 2012-06-13 10:32:03 |
| Message-ID: | 036231D3-C48A-4236-9AE9-ADD1F271AD13@phlo.org |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Jun13, 2012, at 11:10 , Dave Page wrote:
> On Wed, Jun 13, 2012 at 2:12 AM, Craig Ringer
> <craig(at)postnewspapers(dot)com(dot)au> wrote:
>>
>> Users don't remember passwords, though. It's one of those constants, and is
>> why practically every web site etc out there offers password recovery.
>>
>> The installer IMO needs to store the postgres account password in a registry
>> key with permissions set so that only users with local admin rights (ie: who
>> can use the installer) can view it. I don't like the idea of storing a
>> password, but it's only going to be accessible if you already have rights to
>> the registry as local admin, in which case the attacker can just reset it
>> themselves (or root your machine). So long as they installer warns that the
>> password shouldn't be one you use elsewhere because it can be recovered from
>> your computer, I don't see a problem.---
>
> The idea of storing the password in clear text in the registry gives
> me nervous twitches. Whilst is should be secure if done as you
> suggest, a) a simple mistake could leave it vulnerable and give us an
> embarrassing security issue to deal with. It also doesn't help us in
> the cases where users have another installation of PostgreSQL from
> somewhere that doesn't store the password (which is likely to be the
> case for years to come, even if it was our installer that was used
> previously).
Hm, doesn't the registry already contain the postgres service account's
password? AFAIR, on windows you cannot really impersonate an account without
knowing it's password, which is the reason why a) the password of a user
account is stored in the registry if you enable auto-logon and b) you need
to know the service account's password to create a service.
Some googling brought up a tool called isvcpwd[1] which seems to be able to
change service account passwords without breaking services. Judging from a brief
glance over the source code, it does so by iterating over all services
domain-wide, and adjusting the service definition of those which rely on the
modified account(s). So that seems to support the theory that the passwords
are stored in the individual machine's registries.
Some further googling indicates that, yes, the service account passwords
are stored in the registry, but are only accessible to the LocalSystem
account [2]. Querying them from the postgres installer thus isn't really an
option. But what you could do, I guess, is to offer the user the ability to
change the password, and using the approach from [1] to update the affected
service definitions afterwards.
best regards,
Florian Pflug
[1] https://www.itefix.no/i2/isvcpwd
[2] http://www.windowsnetworking.com/kbase/windowstips/windowsnt/registrytips/miscellaneous/LSASecrets.html
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Peter Eisentraut | 2012-06-13 10:53:03 | Re: initdb and fsync |
| Previous Message | Dave Page | 2012-06-13 09:18:19 | Re: Minimising windows installer password confusion |