Re: BUG #15961: psql should be able to read password from stdin

On Mon, Aug 19, 2019 at 12:40:05PM +0300, Arthur Zakirov wrote:
> On 16.08.2019 17:20, PG Bug reporting form wrote:
> > My use case is that I am writing terraform scripts to standup Sonarqube in
> > AWS. After creating the AWS RDS PostgreSQL database, I need to be able to
> > create the sonarqube user and grant access to the sonarqube database that
> > was created with the RDS instance. I can work around this using the
> > PGPASSWORD environment variable but that seems to be deprecated. I don't
> > want to use the .pgpass solution since I don't want/need the postgres user's
> > credentials in my EC2 instance where the Sonarqube server will be running...

> Is PGPASSWORD really deprecated? The documentation just says that it is not
> recommended to use it for security reasons, and it doesn't say that the
> variable is deprecated:
> https://www.postgresql.org/docs/current/libpq-envars.html

PGPASSWORD isn't deprecated. The documentation states that 'is not
recommended for security reasons, as some operating systems allow
non-root users to see process environment variables via ps'.

IOW, it's only not recommended if one plans to use Postgres on such
systems.

The only example for such an operating system I know is the ancient
Solaris 9. That means under Solaris 9 a non-root user is able to read
the environment variables of processes owned by other users. The also
ancient Solaris 10 fixed that.

Under Linux, the environment of a processed is only readable for the
process-owning user and root.

The PGPASSWORD handling in psql can be even made more secure under Linux:

https://www.postgresql.org/message-id/15930-1a5562cad4a72900%40postgresql.org

> I guess passing a password by command-line might have similar security
> problems. If it suits you then PGPASSWORD should work for you too.

Under Linux, passing the password on the command line is definitely more
insecure because the argument vector of a process is world-readable.

Best regards
Georg