#30370: Add support for postgresql client certificates and key to dbshell.
-------------------------------------+-------------------------------------
Reporter: Oleh Mykytyuk | Owner: Oleh
| Mykytyuk
Type: New feature | Status: closed
Component: Database layer | Version: master
(models, ORM) |
Severity: Normal | Resolution: fixed
Keywords: dbshell postgresql | Triage Stage: Ready for
certificate | checkin
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Comment (by Robert Kisteleki):
Replying to [comment:13 felixxm]:
> That's not a bug, it's a new feature. I don't see a security issue in
this behavior. `dbshell` is a utility tool and passwords, keys, etc. will
travel in clear text only if your database allows non-ssl connections.
It's also [https://docs.djangoproject.com/en/3.0/ref/django-admin/#dbshell
documented] that ''not all options set in the `OPTIONS` part of your
database configuration in `DATABASES` are passed to the command-line
client''.
I understand your argument for considering it a feature instead. My point
is that it's a security feature.
> > As it stands, users connecting to a Postgres server with the CLI
(psql), if configured properly, will connect verifiably using TLS, giving
the impression that the setup is correct the connection is secured.
However, this is a false impression as even if the configuration is
perfect, ....
>
> `dbshell` uses a subprocess with
[https://github.com/django/django/blob/7d8df4ad032c6241776c2b3ec6c76af9dd84fda3/django/db/backends/postgresql/client.py#L34
a copy of the current environment], so if you set `PGSSLMODE`,
`PGSSLROOTCERT`, etc. in your current environment you will connect using
TLS even without this change.
That is true. However, that requires devs (and/or users) to understand
that even though Djanog is configured properly and every day use (via wsgi
and such) is fine, if they *ever* ask for a dbshell and not consciously
set ENV variables, auth tokens and perhaps PII can be captured on the
wire. IMO it's a basic security requirement never to send your password in
the clear... So this has vast consequences in environments where you don't
control the network.
--
Ticket URL: <https://code.djangoproject.com/ticket/30370#comment:14>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to django-updates+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-updates/071.c5d4d51aad0bd0baeceb0d6bb49a9b6a%40djangoproject.com.
