COMMAND

    Postgres

SYSTEMS AFFECTED

    Postgresql

PROBLEM

    Robert  van  der  Meulen  found  following.   While migrating some
    postgres  databases   to  a   different  server   (including  user
    accounts) he  noticed the  following problem  in the  way postgres
    stores user passwords:

        SmellyCat:/var/postgres/data# strings pg_shadow
        someaccountname
        someaccountpassword
        anotheraccountname
        anotheraccountpassword
        SmellyCat:/var/postgres/data#

    This means postgresql  stores usernames and  passwords, cleartext,
    in pg_shadow.  pg_shadow (and the other administrative tables) are
    owned  by  user  postgres,  and  only  readable  by user postgres,
    although  modifying  them  trough  the  pgsql  monitor  is usually
    protected by a password.

    The passwords being cleartext, and readable by user postgres  (and
    root,  ofcourse),  allows  bypassing  the  password mechanism, and
    gives access  to all  databases. (compromising  user 'postgres' or
    reading    the    pg_shadow    file    gives    access    to   the
    usernames/passwords).

    This  was  tested  on  postgres  versions  6.3.2 and 6.5.3, others
    probably experience this problem as well.

SOLUTION

    Basically,  this  a  known  issue.   On  Debian  GNU/Linux potato,
    in  file  /usr/share/doc/postgresql-doc/README.passwords  you  can
    find:

        Passwords are  stored in  pg_shadow in  clear, but  if `crypt'
        authentication  is  specified,   the  frontend  encrypts   the
        password with  a random  salt and  the backend  uses the  same
        salt to  encrypt the  password in  the database.   If the  two
        encrypted passwords  match, the  user is  allowed access.   If
        the  authentication  method  is  `password',  the  password is
        transmitted and compared in clear.

    and a little lower:

        2. In general, passwords  are insecure, because they  are held
           in clear in pg_shadow.   Anyone with create-user  privilege
           can not only alter  but also read them.   They ought to  be
           stored with one-way encryption,  as with the Unix  password
           system.

    So this  is well  known and  documented.   Anyway, you  don't have
    normal users on the database server, now do you?