On Wed, Jun 28, 2023 at 10:24:09PM -0700, Nathan Bossart wrote:
> On Wed, Jun 28, 2023 at 09:20:03PM -0700, Gurjeet Singh wrote:
>> The comment on top of connect_utils.c:connectDatabase() seems pertinent:
>>
>>> (Callers should not pass
>>> * allow_password_reuse=true unless reconnecting to the same database+user
>>> * as before, else we might create password exposure hazards.)
>>
>> The callers of {cluster|reindex}_one_database() (which in turn call
>> connectDatabase()) clearly pass different database names in successive
>> calls to these functions. So the patch seems to be in conflict with
>> the recommendation in the comment.
>>
>> I'm not sure if the concern raised in that comment is a legitimate
>> one, though. I mean, if the password is reused to connect to a
>> different database in the same cluster/instance, which I think is
>> always the case with these utilities, the password will exposed in the
>> server logs (if at all). And since the admins of the instance already
>> have full control over the passwords of the user, I don't think this
>> patch will give them any more information than what they can get
>> anyways.
>>
>> It is a valid concern, though, if the utility connects to a different
>> instance in the same run/invocation, and hence exposes the password
>> from the first instance to the admins of the second cluster.
>
> The same commit that added this comment (ff402ae) also set the
> allow_password_reuse parameter to true in vacuumdb's connectDatabase()
> calls. I found a message from the corresponding thread that provides some
> additional detail [0]. I wonder if this comment should instead recommend
> against using the allow_password_reuse flag unless reconnecting to the same
> host/port/user target. Connecting to different databases with the same
> host/port/user information seems okay. Maybe I am missing something...
Here is a new version of the patch in which I've updated this comment as
proposed. Gurjeet, do you have any other concerns about this patch?
--
Nathan Bossart
Amazon Web Services: https://aws.amazon.com
>From 85d0a1bbe62c4cc01b3fdba7c653f95b8472cc7a Mon Sep 17 00:00:00 2001
From: Nathan Bossart <[email protected]>
Date: Tue, 27 Jun 2023 21:38:24 -0700
Subject: [PATCH v2 1/1] harmonize password reuse in vacuumdb, clusterdb, and
reindexdb
---
doc/src/sgml/ref/reindexdb.sgml | 14 --------------
doc/src/sgml/ref/vacuumdb.sgml | 13 -------------
src/bin/scripts/clusterdb.c | 2 +-
src/bin/scripts/reindexdb.c | 2 +-
src/fe_utils/connect_utils.c | 2 +-
5 files changed, 3 insertions(+), 30 deletions(-)
diff --git a/doc/src/sgml/ref/reindexdb.sgml b/doc/src/sgml/ref/reindexdb.sgml
index 8cb8bf4fa3..8d9ced212f 100644
--- a/doc/src/sgml/ref/reindexdb.sgml
+++ b/doc/src/sgml/ref/reindexdb.sgml
@@ -432,20 +432,6 @@ PostgreSQL documentation
</refsect1>
-
- <refsect1>
- <title>Notes</title>
-
- <para>
- <application>reindexdb</application> might need to connect several
- times to the <productname>PostgreSQL</productname> server, asking
- for a password each time. It is convenient to have a
- <filename>~/.pgpass</filename> file in such cases. See <xref
- linkend="libpq-pgpass"/> for more information.
- </para>
- </refsect1>
-
-
<refsect1>
<title>Examples</title>
diff --git a/doc/src/sgml/ref/vacuumdb.sgml b/doc/src/sgml/ref/vacuumdb.sgml
index da2393783b..09356ea4fa 100644
--- a/doc/src/sgml/ref/vacuumdb.sgml
+++ b/doc/src/sgml/ref/vacuumdb.sgml
@@ -605,19 +605,6 @@ PostgreSQL documentation
</refsect1>
-
- <refsect1>
- <title>Notes</title>
-
- <para>
- <application>vacuumdb</application> might need to connect several
- times to the <productname>PostgreSQL</productname> server, asking
- for a password each time. It is convenient to have a
- <filename>~/.pgpass</filename> file in such cases. See <xref
- linkend="libpq-pgpass"/> for more information.
- </para>
- </refsect1>
-
<refsect1>
<title>Examples</title>
diff --git a/src/bin/scripts/clusterdb.c b/src/bin/scripts/clusterdb.c
index 58a774013b..65428031c7 100644
--- a/src/bin/scripts/clusterdb.c
+++ b/src/bin/scripts/clusterdb.c
@@ -195,7 +195,7 @@ cluster_one_database(const ConnParams *cparams, const char *table,
PGconn *conn;
- conn = connectDatabase(cparams, progname, echo, false, false);
+ conn = connectDatabase(cparams, progname, echo, false, true);
initPQExpBuffer(&sql);
diff --git a/src/bin/scripts/reindexdb.c b/src/bin/scripts/reindexdb.c
index 5b297d1dc1..002c41f221 100644
--- a/src/bin/scripts/reindexdb.c
+++ b/src/bin/scripts/reindexdb.c
@@ -315,7 +315,7 @@ reindex_one_database(ConnParams *cparams, ReindexType type,
bool failed = false;
int items_count = 0;
- conn = connectDatabase(cparams, progname, echo, false, false);
+ conn = connectDatabase(cparams, progname, echo, false, true);
if (concurrently && PQserverVersion(conn) < 120000)
{
diff --git a/src/fe_utils/connect_utils.c b/src/fe_utils/connect_utils.c
index 7a1edea7c8..7d45f5c609 100644
--- a/src/fe_utils/connect_utils.c
+++ b/src/fe_utils/connect_utils.c
@@ -25,7 +25,7 @@
*
* If allow_password_reuse is true, we will try to re-use any password
* given during previous calls to this routine. (Callers should not pass
- * allow_password_reuse=true unless reconnecting to the same database+user
+ * allow_password_reuse=true unless reconnecting to the same host+port+user
* as before, else we might create password exposure hazards.)
*/
PGconn *
--
2.25.1
