On 6/20/16 10:29 PM, Tom Lane wrote:
What I would want to know is whether this specific change is actually a
good idea.  In particular, I'm concerned about the possible security
implications of exposing primary_conninfo --- might it not contain a
password, for example?

That would have been my objection. This was also mentioned in the context of moving recovery.conf settings to postgresql.conf, because then the password would become visible in SHOW commands and the like.

We would need a way to put the password in a separate place, like a primary_conn_password setting. Yes, you can already use .pgpass for that, but since pg_basebackup -R will happily copy a password out of .pgpass into recovery.conf, this makes accidentally leaking passwords way too easy.

Alternatively or additionally, implement a way to strip passwords out of conninfo information. libpq already has information about which connection items are sensitive.

Needs more thought, in any case.

Peter Eisentraut              http://www.2ndQuadrant.com/
PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services

Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:

Reply via email to