Skip site navigation (1) Skip section navigation (2)

Re: PGPASSWORD

From: Oliver Jowett <oliver(at)opencloud(dot)com>
To: postgresbugs <postgresbugs(at)grifent(dot)com>
Cc: pgsql-bugs(at)postgresql(dot)org
Subject: Re: PGPASSWORD
Date: 2005-02-25 23:27:38
Message-ID: 421FB46A.6010304@opencloud.com (view raw or flat)
Thread:
Lists: pgsql-bugs
postgresbugs wrote:
> 
> 
> Tom Lane wrote:
> 
>>The point here is that if
>>PGPASSWORD is passed down to psql as an environmental variable, it is
>>visible as part of psql's environment for the entire run of psql.
>>Whatever the calling script does later doesn't remove that window of
>>vulnerability.

[...]

> And, yes I do understand that for the brief period the environmental 
> variable could possibly be visible on some platforms, but even Windows 
> has the local directive which makes the variable far more secure. 

The window is much longer than that. As Tom said, for PGPASSWORD to work 
it has to be present in the environment of the psql process -- that's 
how psql gets the password! That environment may be visible to other 
users of the system, depending on the OS. psql could remove the password 
after use, I suppose, but that just narrows the window.

IMO *any* window of vulnerability is unacceptable -- it opens up any 
periodic or triggerable process to an attacker who tries to get the 
timing just right (not impossible to do if you can also slow down the 
system you are attacking to widen the window..)

PGPASSWORD is just a bad idea as a general mechanism. We need some other 
way.

-O

In response to

Responses

pgsql-bugs by date

Next:From: John R PierceDate: 2005-02-25 23:34:24
Subject: Re: PGPASSWORD
Previous:From: postgresbugsDate: 2005-02-25 23:15:34
Subject: Re: PGPASSWORD

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group