Date: Sun, 23 Apr 2000 22:02:45 +0200 From: Robert van der Meulen <rvdm@CISTRON.NL> Subject: Postgresql cleartext password storage To: BUGTRAQ@SECURITYFOCUS.COM Hi, While migrating some postgres databases to a different server (including user accounts) i noticed the following problem in the way postgres stores user passwords: SmellyCat:/var/postgres/data# strings pg_shadow someaccountname someaccountpassword anotheraccountname anotheraccountpassword SmellyCat:/var/postgres/data# This means postgresql stores usernames and passwords, cleartext, in pg_shadow. pg_shadow (and the other administrative tables) are owned by user postgres, and only readable by user postgres, although modifying them trough the pgsql monitor is usually protected by a password. The passwords being cleartext, and readable by user postgres (and root, ofcourse), allows bypassing the password mechanism, and gives access to all databases. (compromising user 'postgres' or reading the pg_shadow file gives access to the usernames/passwords) Ofcourse this came in handy for me, but i think it's not the way it should be :) I tested this on postgres versions 6.3.2 and 6.5.3 , others probably experience this problem as well. This message is mailed to bugtraq, and Cc'd to the postgresql developers. Greets, Robert van der Meulen/Emphyrio -- | rvdm@cistron.nl - Cistron Internet Services - www.cistron.nl | | php3/c/perl/html/c++/sed/awk/linux/sql/cgi/security | | My statements are mine, and not necessarily cistron's. |