Skip site navigation (1) Skip section navigation (2)

Re: [PATCH] pg_autovacuum commandline password hiding.

From: Andrew Dunstan <andrew(at)dunslane(dot)net>
To: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
Cc: Dave Page <dpage(at)vale-housing(dot)co(dot)uk>,Ian FREISLICH <if(at)hetzner(dot)co(dot)za>, pgsql-patches(at)postgresql(dot)org
Subject: Re: [PATCH] pg_autovacuum commandline password hiding.
Date: 2005-05-24 15:41:01
Message-ID: 42934B0D.7010109@dunslane.net (view raw or flat)
Thread:
Lists: pgsql-patches

Tom Lane wrote:

>psql, pg_dump, etc allow password specification from stdin and from
>.pgpass, never on the command line.  There is a reason why they are all
>designed like that.  pg_autovacuum hasn't been studied carefully enough
>I guess, because we should never have let a security hole like this get
>by us.
>
>
>  
>

I agree. And while we're on the topic,  my patch from last year to allow 
setting an alternative location for the pgpass file via the environment 
seems to be lingering in the pgpatches2 queue. I know some clients use 
the environment to pass the password directly (also very insecure) 
because they can't specify the passfile location.

cheers

andrew

In response to

pgsql-patches by date

Next:From: Dave PageDate: 2005-05-24 15:47:38
Subject: Re: [PATCH] pg_autovacuum commandline password hiding.
Previous:From: despina simmonsDate: 2005-05-24 15:27:22
Subject: enhance your anatomy

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group