Alvaro Herrera wrote:
Magnus Hagander wrote:
On Mon, Dec 10, 2007 at 10:47:19PM -0500, Tom Lane wrote:
If we want to prevent it for psql, we should actually prevent it *in* psql,
not in libpq. There are an infinite number of scenarios where it's
perfectly safe to put the password there... If we want to do it share, we
should add a function like PQSanitizeConnectionString() that will remove
it, that can be called from those client apps that may be exposing it.
There are also platforms that don't show the full commandline to other
users - or even other processes - that aren't affected, of course.
One idea is to have psql "hide" the password on the ps status. That way
it becomes less of a security issue. It would still be a problem on
certain operating systems, but at least several common platforms would
be covered.
There would still be race condition. It would still be visible until
psql hides it. In a way that would be even worse, because it wouldn't be
obvious to an administrator that there's a problem because the password
wouldn't be visible in ps output, but hackers know about stuff like that.
--
Heikki Linnakangas
EnterpriseDB http://www.enterprisedb.com
---------------------------(end of broadcast)---------------------------
TIP 3: Have you checked our extensive FAQ?
http://www.postgresql.org/docs/faq
