Обсуждение: how to keep/lock/ hide pg_hba.conf ?
Dear all: I am ready to release a client/server software (in windows xp),sure it's postgresql based application but I have to hide the password for sensitive data. I found that,if user modified the pg_hba.conf, modified the "METHOD"field from md5 to "password" then,user can find out the password by some the TCP/IP peep tool --such as LayerViewer (we don't plan to install SSL in server/client) I think as a newbie as I know this bug,this solution should be released already Thanks for any advice/suggestion Regards john from Taiwan -- View this message in context: http://postgresql.1045698.n5.nabble.com/how-to-keep-lock-hide-pg-hba-conf-tp4296068p4296068.html Sent from the PostgreSQL - hackers mailing list archive at Nabble.com.
On Mon, Apr 11, 2011 at 9:35 AM, john.cheng <neoart.hinet@msa.hinet.net> wrote: > I found that,if user modified the pg_hba.conf, modified the "METHOD"field > from md5 to "password" if it's a client/server app the user shouldn't have access to the server, so how could him to make the change? Also the directory in which the pg_hba.conf is is only visible/writable for the database cluster owner and the system administrator, so that means you're allowing your user to connect to the server as one of those users? or is windows uncapable of enforce those restrictions? -- Jaime Casanova www.2ndQuadrant.com Professional PostgreSQL: Soporte y capacitación de PostgreSQL
On mån, 2011-04-11 at 07:35 -0700, john.cheng wrote: > I found that,if user modified the pg_hba.conf, modified the > "METHOD"field from md5 to "password" then,user can find out the > password by some the TCP/IP peep tool Don't do that then. Are you concerned that your users would do this? Well, if you install software on their machine, they can do whatever they want with it. That's not an easy issue to solve.