Re: Have an encrypted pgpass file

After explaining the patch to a college we identified potentially execution
of another user when it is defined in as a command parameter. To protect
agains it I've removed the possibility to pass the 'passcommand'. With the
result libpq only allows the PGPASSCOMMAND environment variable, which can
only be defined by the executing user, and will be executed by the same
user. It only reduces the need of unencrypted password's in a file.

I think this solution is secure enough, shall we solve this feature-request?

Regards, Marco

On Tue, Jul 24, 2018 at 4:00 PM Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:

> Marco van Eck <marco(dot)vaneck(at)gmail(dot)com> writes:
> > Indeed having unencrypted password lying (.pgpass or PGPASSWORD or -W)
> > around is making my auditors unhappy, and forcing me to enter the
> password
> > over and over again. With a simple test it seems the password entered by
> > the user also stays in memory, since it is able to reset a broken
> > connection. Finding the password in memory is not trivial, but prevention
> > is always preferred.
>
> > It might be an idea to wipe the password after the login, and
> decrypt/read
> > it again if it needs to reconnect. Would this make the solution more
> > secure? I had a quick look at the code and the patch would stay compact.
> > Please let me know of doing this would make sense.
>
> We're basically not going to accept any added complication that's designed
> to prevent memory-inspection attacks, because in general that's a waste
> of effort. All you're doing is (slightly) reducing the attack window.
>
> regards, tom lane
>