Re: Deprecating plans for PGPASSWORD environment variable as insecure

Hi

po 27. 12. 2021 v 9:55 odesílatel Alexey Murz Korepov <murznn(at)gmail(dot)com>
napsal:

> MySQL in version have deprecated the `MYSQL_PWD` environment variable,
> because they considers this way as insecure, quote from
> https://dev.mysql.com/doc/refman/8.0/en/environment-variables.html#idm45429554761920
> :
>
> > Use of MYSQL_PWD to specify a MySQL password must be considered
> extremely insecure and should not be used. Some versions of ps include an
> option to display the environment of running processes. On some systems, if
> you set MYSQL_PWD, your password is exposed to any other user who runs ps.
> Even on systems without such a version of ps, it is unwise to assume that
> there are no other methods by which users can examine process environments.
>
> So I want to ask - is there the same plan for PostgreSQL with it's
> `PGPASSWORD` environment variable for future versions, or will it stay as
> non-deprecated for future versions, and we can continue to use it without
> worrying?
>

I don't remember any discussion about it. In the documentation is note, so
this way is not preferred

PGPASSWORD behaves the same as the password
<https://www.postgresql.org/docs/current/libpq-connect.html#LIBPQ-CONNECT-PASSWORD>
connection parameter. Use of this environment variable is not recommended
for security reasons, as some operating systems allow non-root users to see
process environment variables via ps; instead consider using a password
file (see Section 34.16
<https://www.postgresql.org/docs/current/libpq-pgpass.html>).

https://www.postgresql.org/docs/current/libpq-envars.html

Regards

Pavel

> --
> Best regards,
> Alexey Murz Korepov.
> E-mail: murznn(at)gmail(dot)com
> Messengers: Matrix - https://matrix.to/#/@murz:ru-matrix.org Telegram -
> @MurzNN
>