#30370: Add support for postgresql client certificates and key to dbshell. -------------------------------------+------------------------------------- Reporter: Oleh Mykytyuk | Owner: Oleh | Mykytyuk Type: New feature | Status: closed Component: Database layer | Version: master (models, ORM) | Severity: Normal | Resolution: fixed Keywords: dbshell postgresql | Triage Stage: Ready for certificate | checkin Has patch: 1 | Needs documentation: 0 Needs tests: 0 | Patch needs improvement: 0 Easy pickings: 0 | UI/UX: 0 -------------------------------------+-------------------------------------
Comment (by Robert Kisteleki): Replying to [comment:13 felixxm]: > That's not a bug, it's a new feature. I don't see a security issue in this behavior. `dbshell` is a utility tool and passwords, keys, etc. will travel in clear text only if your database allows non-ssl connections. It's also [https://docs.djangoproject.com/en/3.0/ref/django-admin/#dbshell documented] that ''not all options set in the `OPTIONS` part of your database configuration in `DATABASES` are passed to the command-line client''. I understand your argument for considering it a feature instead. My point is that it's a security feature. > > As it stands, users connecting to a Postgres server with the CLI (psql), if configured properly, will connect verifiably using TLS, giving the impression that the setup is correct the connection is secured. However, this is a false impression as even if the configuration is perfect, .... > > `dbshell` uses a subprocess with [https://github.com/django/django/blob/7d8df4ad032c6241776c2b3ec6c76af9dd84fda3/django/db/backends/postgresql/client.py#L34 a copy of the current environment], so if you set `PGSSLMODE`, `PGSSLROOTCERT`, etc. in your current environment you will connect using TLS even without this change. That is true. However, that requires devs (and/or users) to understand that even though Djanog is configured properly and every day use (via wsgi and such) is fine, if they *ever* ask for a dbshell and not consciously set ENV variables, auth tokens and perhaps PII can be captured on the wire. IMO it's a basic security requirement never to send your password in the clear... So this has vast consequences in environments where you don't control the network. -- Ticket URL: <https://code.djangoproject.com/ticket/30370#comment:14> Django <https://code.djangoproject.com/> The Web framework for perfectionists with deadlines. -- You received this message because you are subscribed to the Google Groups "Django updates" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-updates+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/django-updates/071.c5d4d51aad0bd0baeceb0d6bb49a9b6a%40djangoproject.com.