On Tue, Mar 22, 2011 at 12:33 PM, Simon Riggs <si...@2ndquadrant.com> wrote: >>> This has been fixed for the next releases. >> >> For the sake of the archives, it should also be noted that the file is in a >> secure directory, much as a .pgpass file would be, so this is generally only >> an issue for the situation described above, and not when a user installs a >> copy himself. > > I accept its not a worst-case problem, but we should rate the problem > A-D as with other security issues. > All cases should get a rating so we know what we're dealing with > > The problem is that the password is disclosed in a surprising way. > .pgpass files are explicitly put there by a user, so they know what > they've done. > > Putting a password in cleartext somewhere is an issue if people don't > know about it.
I agree completely. -- Robert Haas EnterpriseDB: http://www.enterprisedb.com The Enterprise PostgreSQL Company -- Sent via pgsql-bugs mailing list (pgsql-bugs@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-bugs
