| From: | Luis Díaz <luisjesusdm(at)gmail(dot)com> |
|---|---|
| To: | pgsql-bugs(at)lists(dot)postgresql(dot)org |
| Subject: | PSQL Client command line password leak when using Connection String |
| Date: | 2022-02-08 00:15:49 |
| Message-ID: | CAOvi+ke2w4LjbP2Oa5qX_W3N-vgpVegCsAKoDv3mHvY+YLdUew@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-bugs |
Hello,
In Unix, the command line of all users is public and when using a
connection string, sensitive data is passed unencrypted (the password)
I think some Linux/Unix command-line utilities do clear the command line on
initialization to prevent leaking sensitive information that needs to be
passed over the command line.
I have tested the PSQL Client to not be clearing the password from the
command line string when a non-privileged user reviews the process.
To reproduce:
psql "postgresql://postgres:password(at)localhost:5432/database" -c "SELECT
clock_timestamp(),pg_sleep(200),clock_timestamp()" &
[220068]
ps -f -p 220068
/usr/lib/postgresql/12/bin/psql postgresql://postgres:password(at)localhost
:5432/database
[image: Screenshot_20220208_010124.png]
Best regards,
------------------------------
Luis J. DiazWeb Developer
- [image: Website] <https://www.drconopoima.com>
- [image: GitHub] <https://github.com/drconopoima>
- [image: LinkedIn] <https://www.linkedin.com/in/drconopoima>
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Tom Lane | 2022-02-08 00:30:35 | Re: BUG #17391: While using --with-ssl=openssl and PG_TEST_EXTRA='ssl' options, SSL tests fail on OpenBSD 7.0 |
| Previous Message | PG Bug reporting form | 2022-02-07 20:40:15 | BUG #17398: Casts from BYTEA to TEXT and FLOAT4/8 to TEXT should not be immutable |