Re: PSQL Client command line password leak when using Connection String

On Tue, Feb 8, 2022 at 8:52 AM Luis Díaz <luisjesusdm(at)gmail(dot)com> wrote:

> Hello,
>
> In Unix, the command line of all users is public and when using a
> connection string, sensitive data is passed unencrypted (the password)
>
> I think some Linux/Unix command-line utilities do clear the command line
> on initialization to prevent leaking sensitive information that needs to be
> passed over the command line.
>
> I have tested the PSQL Client to not be clearing the password from the
> command line string when a non-privileged user reviews the process.
>
> To reproduce:
> psql "postgresql://postgres:password(at)localhost:5432/database" -c "SELECT
> clock_timestamp(),pg_sleep(200),clock_timestamp()" &
> [220068]
> ps -f -p 220068
> /usr/lib/postgresql/12/bin/psql postgresql://postgres:password(at)localhost
> :5432/database
>
>

This is not a function of PostgreSQL, but one of your operating system. If
the operating system that shows this information, not PostgreSQL. There is
no way that psql (or other tools) could know if what you pass is sensitive
-- you could just as well have put sensitive data in the query for -c, for
example.

That said, you shouldn't be putting your password on the commandline if you
are not in a secure environment. PostgreSQL provides multiple different
ways to pass the password, such as an environment variable or the .pgpass
file.

//Magnus