| From: | Neil Conway <neilc(at)samurai(dot)com> |
|---|---|
| To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
| Cc: | Dave Page <dpage(at)vale-housing(dot)co(dot)uk>, Ian FREISLICH <if(at)hetzner(dot)co(dot)za>, pgsql-patches(at)postgresql(dot)org |
| Subject: | Re: [PATCH] pg_autovacuum commandline password hiding. |
| Date: | 2005-05-25 01:42:07 |
| Message-ID: | 4293D7EF.9050800@samurai.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-patches |
Tom Lane wrote:
> psql, pg_dump, etc allow password specification from stdin and from
> .pgpass, never on the command line. There is a reason why they are all
> designed like that. pg_autovacuum hasn't been studied carefully enough
> I guess, because we should never have let a security hole like this get
> by us.
It has certainly been observed that this is a security problem in the
past. In fact, the pg_autovacuum documentation makes that clear:
-P password: Password pg_autovacuum will use to connect with. *WARNING*
This option is insecure. When installed as a Windows Service, this
option will be stored in plain text in the registry. When used with
most Unix variants, other users will be able to see the argument to
the "-P" option via ps(1). The ~/.pgpass file can be used to
specify a password more securely.
I think the reason there is at least some value in having this switch
for pg_autovacuum is that pg_autovacuum is almost exclusively used in a
situation in which the password can't be specified on the command-line
(which is not the case for most of the other command-line tools). Sure,
it isn't secure, but the documentation makes that clear, and security is
not important to everyone -- I can certainly envision users for whom the
command-line flag is convenient.
-Neil
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Neil Conway | 2005-05-25 01:46:43 | Re: [PATCH] pg_autovacuum commandline password hiding. |
| Previous Message | Yamamoto makoto | 2005-05-24 19:38:44 | 大人の情報メールマガジン局 Vo.0015 |