| From: | Aditya Toshniwal <aditya(dot)toshniwal(at)enterprisedb(dot)com> |
|---|---|
| To: | FWS Neil <neil(at)fairwindsoft(dot)com> |
| Cc: | Nikhil Mohite <nikhil(dot)mohite(at)enterprisedb(dot)com>, pgadmin-support(at)postgresql(dot)org |
| Subject: | Re: Python access to macOS keychain |
| Date: | 2024-01-03 12:20:04 |
| Message-ID: | CAM9w-_nDyt8-M2Z3_QrX9sz+9T9SWYN0JUz3+Mb+AiGTniRfLg@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgadmin-support |
Hi Neil,
pgAdmin tries to access the passwords saved by pgAdmin for each server here
and that's why it is asking multiple times. "Always allow" means pgAdmin
can access the passwords saved by pgAdmin any number of times. We can try
to add a check if the password is stored then only access, but that will
only reduce the count of "asks" if that's what you want.
As mentioned by Nikhil, pgAdmin backend runs in a python process and when
you allow it you're allowing that process only. Once you close pgAdmin, the
backend process stops and permissions are gone as well.
On Wed, Jan 3, 2024 at 12:06 AM FWS Neil <neil(at)fairwindsoft(dot)com> wrote:
> Nikhil,
>
> A couple of problems. “Always allow” does not sound python pid specific.
> Are you saying that it is? If I just click “Allow”, I have to do the same
> for every defined connections even if the connection is not being used. As
> far as I know I don’t have any stored passwords. I think someone should
> seriously reconsider how this all works.
>
> I cannot find any place to select “Do not store passwords” which would be
> fine for me.
>
> Neil
>
> On Jan 1, 2024, at 4:23 AM, Nikhil Mohite <nikhil(dot)mohite(at)enterprisedb(dot)com>
> wrote:
>
> Hi Neil,
>
> pgAdmin uses a Keychain to store the pgAdmin server passwords if users opt
> for save password functionality. Keychain access is Python
> process-specific. Hence allowing keychain access to the python process
> requested by pgAdmin will be specific to this python pid. We are trying to
> add a pgAdmin name in the waring where it asks to allow keychain access.
>
>
> On Sun, Dec 24, 2023 at 10:12 PM Neil <neil(at)fairwindsoft(dot)com> wrote:
>
>> When I start pgAdmin on macOS, I get a request to allow ‘Python' access
>> to my keychain.
>>
>> Allowing ‘Python' unfettered access to my keychain is not acceptable. I
>> would however, allow pgAdmin to access my keychain.
>>
>> I understand that pgAdmin is using python.
>>
>> Can someone explain or point to an explanation about the security
>> implications of allowing ‘Python' to access my keychain?
>>
>> Is this really an unlimited authority for any Python process to access my
>> keychain as the dialog implies?
>>
>> Thanks,
>> Neil
>>
>>
>>
>> Thanks,
> Nikhil
>
>
>
--
Thanks,
Aditya Toshniwal
pgAdmin Hacker | Sr. Software Architect | *enterprisedb.com*
<https://www.enterprisedb.com/>
"Don't Complain about Heat, Plant a TREE"
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Morten Bonnerup Rasmussen | 2024-01-03 12:37:41 | Re: Enable HTTPS on pgAdmin in Server Mode |
| Previous Message | FWS Neil | 2024-01-02 18:36:21 | Re: Python access to macOS keychain |