Re: [PATCH] pg_autovacuum commandline password hiding.

From: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
To: "Dave Page" <dpage(at)vale-housing(dot)co(dot)uk>
Cc: "Ian FREISLICH" <if(at)hetzner(dot)co(dot)za>, pgsql-patches(at)postgresql(dot)org
Subject: Re: [PATCH] pg_autovacuum commandline password hiding.
Date: 2005-05-24 15:02:16
Message-ID: 20752.1116946936@sss.pgh.pa.us
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-patches

"Dave Page" <dpage(at)vale-housing(dot)co(dot)uk> writes:
>> Which is exactly why we don't (and won't) provide such a switch.

> Err, yes we do:

Um, sorry, I totally misread Ian's patch as a proposal that we add a
password switch (I hate unidiffs ;-)).

I would argue actually that this switch is a horrible idea and we
must take it out entirely. The method Ian proposes for hiding the
password after reading it is certainly not portable in the slightest,
and even if we could make it work on all platforms (which we can't)
I don't think it would be good enough, because there would still be
a window where the superuser password was exposed to view before
we could wipe it out.

psql, pg_dump, etc allow password specification from stdin and from
.pgpass, never on the command line. There is a reason why they are all
designed like that. pg_autovacuum hasn't been studied carefully enough
I guess, because we should never have let a security hole like this get
by us.

regards, tom lane

In response to

Responses

Browse pgsql-patches by date

  From Date Subject
Next Message despina simmons 2005-05-24 15:27:22 enhance your anatomy
Previous Message Alvaro Herrera 2005-05-24 14:41:56 Re: plperl strict mode