Re: Password as a command line argument to createuser

From: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
To: Greg Smith <gsmith(at)gregsmith(dot)com>
Cc: pgsql-general(at)postgresql(dot)org, j2ren(at)ucsd(dot)edu
Subject: Re: Password as a command line argument to createuser
Date: 2007-12-19 15:38:52
Message-ID: 23066.1198078732@sss.pgh.pa.us
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-general

Greg Smith <gsmith(at)gregsmith(dot)com> writes:
> In your typical shell nowadays the echo command is a built-in one--it
> executes directly rather than calling a separate echo binary, so it won't
> leak what you tell it onto a command line. That means this line in a
> script would be simplest way to do this that's not completely insecure:

> echo "create user foo password 'secret'" | psql ...

And if we haven't given you a headache yet:

There's a similar risk even after you've securely sent the command
to the database server: it will be transiently exposed in
pg_stat_activity, and perhaps permanently logged in the postmaster log.
Now the audience that can see either of those things is hopefully
smaller than "everyone on the machine", but still it's not very nice
if you don't want anyone else to know the cleartext of your password.

The way to deal with this is to pre-encrypt the password before you send
it over to the server. Both the createuser program and psql's \password
command do it that way. Unfortunately it looks like they both insist on
reading the password from /dev/tty, so if you want to script this, you'd
be stuck with making a special-purpose program that didn't.

regards, tom lane

In response to

Responses

Browse pgsql-general by date

  From Date Subject
Next Message Michael Akinde 2007-12-19 15:40:38 Getting char * from timestamp in a composite type
Previous Message Alvaro Herrera 2007-12-19 14:24:23 Re: Initdb problem - catch 22?