| Lists: | pgsql-general |
|---|
| From: | Richard Hayward <richard(at)tortoise(dot)demon(dot)co(dot)uk> |
|---|---|
| To: | pgsql-general(at)postgresql(dot)org |
| Subject: | prevent user change password? |
| Date: | 2005-05-31 17:03:04 |
| Message-ID: | 306p9195i31pctqrpugrorjdre0hr7ik1u@4ax.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Lists: | pgsql-general |
Is it possible to prevent a user from changing their password?
I have a database with a 'Guest' account, that will have limited
access. I don't want any of my guests to change the Guest account
password.
tia
Richard
| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | Richard Hayward <richard(at)tortoise(dot)demon(dot)co(dot)uk> |
| Cc: | pgsql-general(at)postgresql(dot)org |
| Subject: | Re: prevent user change password? |
| Date: | 2005-06-01 15:39:22 |
| Message-ID: | 14420.1117640362@sss.pgh.pa.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Lists: | pgsql-general |
Richard Hayward <richard(at)tortoise(dot)demon(dot)co(dot)uk> writes:
> Is it possible to prevent a user from changing their password?
No.
> I have a database with a 'Guest' account, that will have limited
> access. I don't want any of my guests to change the Guest account
> password.
Perhaps you should use something other than password authentication
for the guest account.
regards, tom lane
| From: | Bruno Wolff III <bruno(at)wolff(dot)to> |
|---|---|
| To: | Richard Hayward <richard(at)tortoise(dot)demon(dot)co(dot)uk> |
| Cc: | pgsql-general(at)postgresql(dot)org |
| Subject: | Re: prevent user change password? |
| Date: | 2005-06-01 16:33:02 |
| Message-ID: | 20050601163302.GA20923@wolff.to |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Lists: | pgsql-general |
On Tue, May 31, 2005 at 18:03:04 +0100,
Richard Hayward <richard(at)tortoise(dot)demon(dot)co(dot)uk> wrote:
> Is it possible to prevent a user from changing their password?
>
> I have a database with a 'Guest' account, that will have limited
> access. I don't want any of my guests to change the Guest account
> password.
Your best solution is probably to tell them not to change the password.
It is very unlikely anyone would do this by accident and if you don't
trust them enough to not do it delibrately, then they probably shouldn't
be sharing an account.
| From: | Richard Hayward <richard(at)tortoise(dot)demon(dot)co(dot)uk> |
|---|---|
| To: | pgsql-general(at)postgresql(dot)org |
| Subject: | Re: prevent user change password? |
| Date: | 2005-06-04 21:00:06 |
| Message-ID: | t044a1p84blvil6iatpnn946bbphq79kgm@4ax.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Lists: | pgsql-general |
On Wed, 01 Jun 2005 11:39:22 -0400, tgl(at)sss(dot)pgh(dot)pa(dot)us (Tom Lane)
wrote:
>> I have a database with a 'Guest' account, that will have limited
>> access. I don't want any of my guests to change the Guest account
>> password.
>
>Perhaps you should use something other than password authentication
>for the guest account.
Thanks for your reply Tom,
I want anyone from anywhere to be able to connect to my_database (only
my_database, not others in the cluster) using the guest account. The
system is to be live on the Internet.
Putting:
host my_database guest 0.0.0.0 0.0.0.0 trust
ahead of other entries in pg_hba.conf seems to do the trick. Even if
guest is given a password, or it gets changed, guest can connect
without being asked for it.
The guest account will only be allowed select permissions.
Does this open me to being attacked? I assume guest could then query
various system tables, but that other users passwords are either not
visible or securely encrypted.
regards
Richard
| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | Richard Hayward <richard(at)tortoise(dot)demon(dot)co(dot)uk> |
| Cc: | pgsql-general(at)postgresql(dot)org |
| Subject: | Re: prevent user change password? |
| Date: | 2005-06-05 22:40:31 |
| Message-ID: | 4495.1118011231@sss.pgh.pa.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Lists: | pgsql-general |
Richard Hayward <richard(at)tortoise(dot)demon(dot)co(dot)uk> writes:
> On Wed, 01 Jun 2005 11:39:22 -0400, tgl(at)sss(dot)pgh(dot)pa(dot)us (Tom Lane)
> wrote:
>> Perhaps you should use something other than password authentication
>> for the guest account.
> I want anyone from anywhere to be able to connect to my_database (only
> my_database, not others in the cluster) using the guest account. The
> system is to be live on the Internet.
> Putting:
> host my_database guest 0.0.0.0 0.0.0.0 trust
> ahead of other entries in pg_hba.conf seems to do the trick. Even if
> guest is given a password, or it gets changed, guest can connect
> without being asked for it.
> The guest account will only be allowed select permissions.
> Does this open me to being attacked? I assume guest could then query
> various system tables, but that other users passwords are either not
> visible or securely encrypted.
I'd be inclined to use a postmaster dedicated *only* to that purpose,
running under a Unix userid also dedicated to that purpose. We do come
across security holes from time to time ...
regards, tom lane