Skip site navigation (1) Skip section navigation (2)

Re: [PATCH] pg_autovacuum commandline password hiding.

From: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
To: "Dave Page" <dpage(at)vale-housing(dot)co(dot)uk>
Cc: "Ian FREISLICH" <if(at)hetzner(dot)co(dot)za>, pgsql-patches(at)postgresql(dot)org
Subject: Re: [PATCH] pg_autovacuum commandline password hiding.
Date: 2005-05-24 15:02:16
Message-ID: 20752.1116946936@sss.pgh.pa.us (view raw or flat)
Thread:
Lists: pgsql-patches
"Dave Page" <dpage(at)vale-housing(dot)co(dot)uk> writes:
>> Which is exactly why we don't (and won't) provide such a switch.

> Err, yes we do:

Um, sorry, I totally misread Ian's patch as a proposal that we add a
password switch (I hate unidiffs ;-)).

I would argue actually that this switch is a horrible idea and we
must take it out entirely.  The method Ian proposes for hiding the
password after reading it is certainly not portable in the slightest,
and even if we could make it work on all platforms (which we can't)
I don't think it would be good enough, because there would still be
a window where the superuser password was exposed to view before
we could wipe it out.

psql, pg_dump, etc allow password specification from stdin and from
.pgpass, never on the command line.  There is a reason why they are all
designed like that.  pg_autovacuum hasn't been studied carefully enough
I guess, because we should never have let a security hole like this get
by us.

			regards, tom lane

In response to

Responses

pgsql-patches by date

Next:From: despina simmonsDate: 2005-05-24 15:27:22
Subject: enhance your anatomy
Previous:From: Alvaro HerreraDate: 2005-05-24 14:41:56
Subject: Re: plperl strict mode

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group