Re: FW: [ppa-dev] Severe bug in debian - phppgadmin opens

> > > Try "ps axewww" ? Doesn't work on your platform ?
> > > Works on AIX, Linux?, ...
> >
> > Linux Debian Unstable (updated 1 week ago).
> >
> > For a non-root user, only her processes' environment appears.
> > (and /proc/*/environ permissions are 400, the user being the
> > process owner)
> >
> > For root, all processes' environment is shown.
> >
> > Antonio
>
> I've tried it on FreeBSD and it seems an unprivlileged user can only see his
> or her own environmental variables, it doesn't show variables for any other
> user.

Yes, I see that now. Seems maybe my OS is the only one that isn't fixed
yet. :-(

Anyway, I based my dislike of passwords in the environment on prior
practice of other programs. I knew one of the reasons it isn't used is
because of 'ps', but there is also the issue of the passwords passed to
subprocesses, across 'su' calls, and into 'core' files. It just seems
like a bad practice.

Passwords stored in a file, though not ideal, seems more secure, are
used by cvs and a few other programs, and allow us to define a format
that can be used to store different user/host/password combinations in
the same file, if we wish.

Of course, given that most OS's don't have the 'ps' environment problem,
maybe we have to keep PGPASSWORD around. It is up to the group. Do
people want me to change my wording of the option in the SGML sources?

<envar>PGPASSWORD</envar>
sets the password used if the backend demands password
authentication. This is not recommended because the password can
be read by others using a <command>ps</command> environment flag
on some platforms.

--
Bruce Momjian | http://candle.pha.pa.us
pgman(at)candle(dot)pha(dot)pa(dot)us | (610) 853-3000
+ If your life is a hard drive, | 830 Blythe Avenue
+ Christ can be your backup. | Drexel Hill, Pennsylvania 19026