Skip site navigation (1) Skip section navigation (2)

Re: PGPASSWORD

From: postgresbugs <postgresbugs(at)grifent(dot)com>
To:
Cc: pgsql-bugs(at)postgresql(dot)org, oliver(at)opencloud(dot)com
Subject: Re: PGPASSWORD
Date: 2005-02-25 23:12:40
Message-ID: 421FB0E8.5060503@grifent.com (view raw or flat)
Thread:
Lists: pgsql-bugs
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
  <meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
  <title></title>
</head>
<body bgcolor="#ffffff" text="#000000">
<br>
<br>
Tom Lane wrote:
<blockquote cite="mid9002(dot)1109367533(at)sss(dot)pgh(dot)pa(dot)us" type="cite">
  <pre wrap="">postgresbugs <a class="moz-txt-link-rfc2396E"
 href="mailto:postgresbugs(at)grifent(dot)com">&lt;postgresbugs(at)grifent(dot)com&gt;</a> writes:
  </pre>
  <blockquote type="cite">
    <pre wrap="">Unless the utilities like psql and pg_dump are changed to accept a 
password as a command line option, I don't think PGPASSWORD should go 
away. It is too useful for those that know how to properly use and 
destroy environmental variables.
    </pre>
  </blockquote>
  <pre wrap=""><!---->
... which evidently does not include you.  The point here is that if
PGPASSWORD is passed down to psql as an environmental variable, it is
visible as part of psql's environment for the entire run of psql.
Whatever the calling script does later doesn't remove that window of
vulnerability.

  </pre>
</blockquote>
No need for personal attacks. Just because you disagree is no reason to
be arrogant. I don't want to get into an "urinating match" with you.<br>
<br>
And, yes I do understand that for the brief period the environmental
variable could possibly be visible on some platforms, but even Windows
has the local directive which makes the variable far more secure. In my
case, prompting each time for the password is out of the question.
There is no human to answer the prompt.<br>
<blockquote cite="mid9002(dot)1109367533(at)sss(dot)pgh(dot)pa(dot)us" type="cite">
  <pre wrap="">There is no intention of removing PGPASSWORD, because it is safe and
useful *on platforms that do not expose other processes' environment
variables*.  But it is deprecated and will remain so, because there
are too many platforms where this is not true.
  </pre>
</blockquote>
I thought the word "deprecated"&nbsp; means there is intent to remove it
from use in the future.<br>
<blockquote cite="mid9002(dot)1109367533(at)sss(dot)pgh(dot)pa(dot)us" type="cite">
  <pre wrap="">  </pre>
  <blockquote type="cite">
    <pre wrap="">Again, the advantage is I can let users with no database login have 
controlled access to database data and utilities without them actually 
having a user name and password to the database. Without the ability to 
use PGPASSWORD, I have to expose the password in a .pgpass file for 
every user I want to allow access. I think that is far more insecure.
    </pre>
  </blockquote>
  <pre wrap=""><!---->
If .pgpass is properly protected, I do not see why you think it is
insecure.  It's certainly a lot safer than environment variables.

			regards, tom lane
  </pre>
</blockquote>
The user that starts the program may not have any .pgpass file in their
home directory. The program may even be started remotely. The password
is encrypted and stored and decrypted by the binary and the passed to
the script for execution of the standard Postgres utility. The script
runs in a process that never opens a visible terminal or process that
would be visible to anyone that might even be near the server. <br>
<br>
Regards,<br>
John Griffiths<br>
</body>
</html>


Attachment: unknown_filename
Description: text/html (3.2 KB)

In response to

Responses

pgsql-bugs by date

Next:From: postgresbugsDate: 2005-02-25 23:15:34
Subject: Re: PGPASSWORD
Previous:From: Oliver JowettDate: 2005-02-25 22:43:13
Subject: Re: PGPASSWORD

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group