Bad security practice in oid2name and pgbench

From: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
To: pgsql-hackers(at)postgreSQL(dot)org
Subject: Bad security practice in oid2name and pgbench
Date: 2007-12-09 03:42:01
Message-ID: 1740.1197171721@sss.pgh.pa.us
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

While going through the contrib documentation, I notice that both
oid2name and pgbench allow specifying a password on the command line,
ie
-P password

This is known to be horribly bad security practice (because the password
is exposed to everyone else on the machine), and we don't allow any of
our standard applications to do it. Why is contrib getting a free pass?

I think we should fix these two programs to work the same as our
other apps, ie, interactively prompt for password when needed.

regards, tom lane

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message Robert Treat 2007-12-09 04:42:51 Re: Release Note Changes
Previous Message Andrew Dunstan 2007-12-09 02:04:04 Re: [HACKERS] BUG #3799: csvlog skips some logs