Re: Proposed patch to disallow password=foo in databasename parameter

Alvaro Herrera wrote:
> Magnus Hagander wrote:
>> On Mon, Dec 10, 2007 at 10:47:19PM -0500, Tom Lane wrote:
>
>> If we want to prevent it for psql, we should actually prevent it *in* psql,
>> not in libpq. There are an infinite number of scenarios where it's
>> perfectly safe to put the password there... If we want to do it share, we
>> should add a function like PQSanitizeConnectionString() that will remove
>> it, that can be called from those client apps that may be exposing it.
>>
>> There are also platforms that don't show the full commandline to other
>> users - or even other processes - that aren't affected, of course.
>
> One idea is to have psql "hide" the password on the ps status. That way
> it becomes less of a security issue. It would still be a problem on
> certain operating systems, but at least several common platforms would
> be covered.

There would still be race condition. It would still be visible until
psql hides it. In a way that would be even worse, because it wouldn't be
obvious to an administrator that there's a problem because the password
wouldn't be visible in ps output, but hackers know about stuff like that.

--
Heikki Linnakangas
EnterpriseDB http://www.enterprisedb.com