Tom Lane wrote:
psql, pg_dump, etc allow password specification from stdin and from
.pgpass, never on the command line.  There is a reason why they are all
designed like that.  pg_autovacuum hasn't been studied carefully enough
I guess, because we should never have let a security hole like this get
by us.

It has certainly been observed that this is a security problem in the past. In fact, the pg_autovacuum documentation makes that clear:

-P password: Password pg_autovacuum will use to connect with. *WARNING*
   This option is insecure. When installed as a Windows Service, this
   option will be stored in plain text in the registry. When used with
   most Unix variants, other users will be able to see the argument to
   the "-P" option via ps(1). The ~/.pgpass file can be used to
   specify a password more securely.

I think the reason there is at least some value in having this switch for pg_autovacuum is that pg_autovacuum is almost exclusively used in a situation in which the password can't be specified on the command-line (which is not the case for most of the other command-line tools). Sure, it isn't secure, but the documentation makes that clear, and security is not important to everyone -- I can certainly envision users for whom the command-line flag is convenient.


---------------------------(end of broadcast)---------------------------
TIP 5: Have you checked our extensive FAQ?


Reply via email to