From: | Bruce Momjian <pgman(at)candle(dot)pha(dot)pa(dot)us> |
---|---|
To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
Cc: | Peter Eisentraut <peter_e(at)gmx(dot)net>, The Hermit Hacker <scrappy(at)hub(dot)org>, PostgreSQL-development <pgsql-hackers(at)postgreSQL(dot)org> |
Subject: | Re: [HACKERS] TODO list updated |
Date: | 2000-01-13 15:57:33 |
Message-ID: | 200001131557.KAA29869@candle.pha.pa.us |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
> After thinking about it a little more, I wonder if I was too optimistic
> to say that an initdb script could transfer the password securely.
> Consider: we can get the password with
>
> echo "Please enter password for postgres superuser: "
> read PASSWORD
>
> and now the password is in a shell variable of the shell running initdb,
> and hasn't been exposed anywhere else. So far so good, but now what?
> You can't securely do
>
> echo $PASSWORD | backend
>
> or
> echo $PASSWORD > allegedly-secure-temp-file
This is secure. echo is a shell builtin, and does not invoke a separate
process with arguments.
> (Actually, you'd want it to do a few more pushups: turn off tty
> echoing before prompting for password, read password twice and
> check it was entered the same both times, retry if not, etc.
> Another reason that a pure shell script isn't really up to the
> job is that AFAIR it can't easily turn off tty echoing.)
That is the part that is hard to do in a shell, except I think there are
stty settings for this.
I just did:
stty -echo
read PASS
stty echo
echo $PASS
and it worked perfectly:
#$ /bjm/x
<- typed test here
test
--
Bruce Momjian | http://www.op.net/~candle
maillist(at)candle(dot)pha(dot)pa(dot)us | (610) 853-3000
+ If your life is a hard drive, | 830 Blythe Avenue
+ Christ can be your backup. | Drexel Hill, Pennsylvania 19026
From | Date | Subject | |
---|---|---|---|
Next Message | Peter Eisentraut | 2000-01-13 16:02:14 | initdb (Re: [HACKERS] TODO list updated) |
Previous Message | Tom Lane | 2000-01-13 15:50:07 | Re: [HACKERS] How PG parser search (build-in) function? |