[Nsspampgsql-devel] Bug#551389: Bug#551389: libnss-pgsql2: Public auth info in the nss-pgsql.conf allows Denial-of-Service attack to NSS
Stephen Gran
sgran at debian.org
Sun Oct 18 01:55:37 UTC 2009
This one time, at band camp, Denis Feklushkin said:
> Any local user can completely disable NSS resolution in DB by changing
> the password to the database.
>
> Unlike mysql, postgres does not allow create a user ("role") which has
> no possibility to change own password (so-called "anonymous user").
>
> Thus, any local user can obtain password from /etc/nss-pgsql.conf,
> change it and access to the DB will be corrupted
OK, I'll bite - why are you not making access to the database 'trust' in
pg_hba.conf?
And why is a misconfiguration of postgres a bug in nss-pgsql?
Cheers,
--
-----------------------------------------------------------------
| ,''`. Stephen Gran |
| : :' : sgran at debian.org |
| `. `' Debian user, admin, and developer |
| `- http://www.debian.org |
-----------------------------------------------------------------
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/nsspampgsql-devel/attachments/20091018/bf0789af/attachment.pgp>
More information about the Nsspampgsql-devel
mailing list