Michael Schmidt wrote:
Fellow PostgreSQL fans,
1. I don't see that this would pose a major security risk. In
> fact, in applications where the user enters the password for each
> session, the password need never be saved to disk, which seems a
> definite security advantage. Some folks have noted that .pgpass is
> a plain text file, hence it could be vulnerable.
Yes it is a plain text file but if you want to use it then you need to
ensure the security is sufficient on the file or it won't be used.
As per the manual -
> The permissions on .pgpass must disallow any access to world or
group; > achieve this by the command chmod 0600 ~/.pgpass. If the
permissions
> are less strict than this, the file will be ignored. (The file
> permissions are not currently checked on Microsoft Windows, however.)
So this security feature should be something that gets added to the
windows version. But otherwise the security of the user's account that
has a .pgpass file is the decider on whether it is vulnerable.
--
Shane Ambler
pgSQL@xxxxxxxxxxxxxxxx
Get Sheeky @ http://Sheeky.Biz
