I've recently been playing with postgres-6.3.2 in a testing mulit-user
environment. I've come across a problem that others have noted on the
list, but I've never seen an suggested solution to it.
My experience is that a user can either change ALL passwords (if the user
has "create user" status) or NO passwords (including his own) via the
"alter user with password ----" command.
I'm looking to use postgres in a multi-user environment, which could
possibly have malicious users who would change other users passwords, or
destroy other user's databases if they were able to.
To avoid such a predicament, I can simply create all users with no ability
to change passwords. However, that means that if a user wants/needs his
password changed, they'll have to contact the administrator to do so.
Is there a way around this administrator-intensive solution?
please reply to me in addition to the list as I am not currently
subscribed.
Thanks in Advance.
Scott