From: | Bruce Momjian <bruce(at)momjian(dot)us> |
---|---|
To: | "Jonah H(dot) Harris" <jonah(dot)harris(at)gmail(dot)com> |
Cc: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Heikki Linnakangas <heikki(dot)linnakangas(at)enterprisedb(dot)com>, Alvaro Herrera <alvherre(at)commandprompt(dot)com>, Tomasz Olszak <tolszak(at)o2(dot)pl>, pgsql-hackers(at)postgresql(dot)org |
Subject: | Re: Problem with accesing Oracle from plperlu functionwhen using remote pg client. |
Date: | 2009-03-17 02:00:41 |
Message-ID: | 200903170200.n2H20fM20711@momjian.us |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
Jonah H. Harris wrote:
> On Mon, Mar 16, 2009 at 8:50 PM, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
>
> > Heikki Linnakangas <heikki(dot)linnakangas(at)enterprisedb(dot)com> writes:
> > > Hmm, I wonder if you could do something malicious with it.
> >
> > There are any number of scenarios where exposing the client command-line
> > contents to other database users represents a security hole, quite
> > independently of whether anything falls over depending on the line
> > contents. (I wonder whether there are any Oracle clients that accept
> > a password on the command line, for instance.)
>
>
> Sure they let you pass the password on the command line, but they don't
> recommend it. Most of the utilities accept the syntax:
>
> utility user/pass(at)instance
>
> Just doing user(at)instance will generally prompt for a password.
>
> Ahh, the number of passwords I've recovered from shell history files as a
> consultant... good times :)
>
> The only reason this complaint is directed to us, and not Oracle,
> > is that the complainant knows how far he's likely to get complaining
> > to Oracle :-(
>
>
> I don't doubt that. But, like I said, it's really a matter of the
> application name. In our case, Postgres falls into that corner case and we
> either choose to do something about it or we don't. I put the temporary
> solution out there for anyone that has the problem. If we want to fix it
> long-term, we'd have to look at one of the previously discussed alternatives
> to using (port). I don't particularly care one way or another, but if we
> were to change the ps line format, I just wanted to say that I preferred
> host:port rather than host(port).
I think I was the one who originally added the port in paretheses, and I
agree that a colon would have made more sense, but I never thought of
it.
postgres test 127.0.0.1(57966) idle
vs.
postgres test 127.0.0.1:57966 idle
In fact my old BSD ps looks like:
postgres test 127.0.0.1(58013) idle (postmaster)
The old argv[0] is in parentheses.
I think any serious tools are now using pg_stat_activity. I saw we make
the change in 8.4 and just document it. I wouldn't make the change for
Oracle but rather for clarity.
--
Bruce Momjian <bruce(at)momjian(dot)us> http://momjian.us
EnterpriseDB http://enterprisedb.com
+ If your life is a hard drive, Christ can be your backup. +
From | Date | Subject | |
---|---|---|---|
Next Message | Bruce Momjian | 2009-03-17 02:04:27 | Re: small but useful patches for text searcht |
Previous Message | Tom Lane | 2009-03-17 01:53:55 | Re: small but useful patches for text searcht |