PSQL Client command line password leak when using Connection String

Поиск
Список
Период
Сортировка
От Luis Díaz
Тема PSQL Client command line password leak when using Connection String
Дата
Msg-id CAOvi+ke2w4LjbP2Oa5qX_W3N-vgpVegCsAKoDv3mHvY+YLdUew@mail.gmail.com
обсуждение исходный текст
Ответы Re: PSQL Client command line password leak when using Connection String  (Magnus Hagander <magnus@hagander.net>)
Список pgsql-bugs
Дерево обсуждения
Hello,

In Unix, the command line of all users is public and when using a connection string, sensitive data is passed unencrypted (the password)

I think some Linux/Unix command-line utilities do clear the command line on initialization to prevent leaking sensitive information that needs to be passed over the command line.

I have tested the PSQL Client to not be clearing the password from the command line string when a non-privileged user reviews the process.

To reproduce:
psql "postgresql://postgres:password@localhost:5432/database" -c "SELECT clock_timestamp(),pg_sleep(200),clock_timestamp()" &
[220068]
ps -f -p 220068
/usr/lib/postgresql/12/bin/psql postgresql://postgres:password@localhost:5432/database

Screenshot_20220208_010124.png
Best regards,


Luis J. Diaz

Web Developer

  • Website
  • GitHub
  • LinkedIn
 
Вложения

В списке pgsql-bugs по дате отправления:

Предыдущее
От: PG Bug reporting form
Дата:
Сообщение: BUG #17398: Casts from BYTEA to TEXT and FLOAT4/8 to TEXT should not be immutable
Следующее
От: Tom Lane
Дата:
Сообщение: Re: BUG #17391: While using --with-ssl=openssl and PG_TEST_EXTRA='ssl' options, SSL tests fail on OpenBSD 7.0