| From: | "Daniel Verite" <daniel(at)manitou-mail(dot)org> |
|---|---|
| To: | "Tom Lane" <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
| Cc: | "Desidero" <desidero(at)gmail(dot)com>,pgsql-general(at)postgresql(dot)org |
| Subject: | Re: pgpass file type restrictions |
| Date: | 2017-10-19 17:40:28 |
| Message-ID: | 6cc8501d-2dc5-4a81-ba09-1d31eeee0d7e@manitou-mail.org |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
Tom Lane wrote:
> On many platforms, it's possible for other users to see the environment
> variables of a process. So PGPASSWORD is really quite insecure.
As said in https://www.postgresql.org/docs/current/static/libpq-envars.html
"PGPASSWORD behaves the same as the password connection
parameter. Use of this environment variable is not recommended for
security reasons, as some operating systems allow non-root users to
see process environment variables via ps; instead consider using a
password file"
I understand this in the context that PostgreSQL runs on many
operating systems, including ancient ones.
But in the case that the target platform is not afflicted by
"the environment is public" problem, what's best between
PGPASSWORD and .pgpass is a judgment call. Personally
I'm unimpressed by the recommendation above seemingly
favoring the latter, as if it hadn't its own problems.
Best regards,
--
Daniel Vérité
PostgreSQL-powered mailer: http://www.manitou-mail.org
Twitter: @DanielVerite
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Igal @ Lucee.org | 2017-10-19 18:11:44 | Re: Using Variables in Queries |
| Previous Message | rob stone | 2017-10-19 17:11:55 | Re: Problems with the time in data type timestamp without time zone |