Обсуждение: Re: FW: [ppa-dev] Severe bug in debian - phppgadmin opens up
> Doug McNaught <doug@wireboard.com> writes: > > But this way the password ends up in the environment, which on many > > systems is visible to other processes/users (via /proc or the 'ps' > > command). > > Your *environment* is visible to other users? Geez, what a broken > system ... Try "ps axewww" ? Doesn't work on your platform ? Works on AIX, Linux?, ... Andreas
Zeugswetter Andreas SB SD wrote: > > Doug McNaught <doug@wireboard.com> writes: > > > But this way the password ends up in the environment, which on many > > > systems is visible to other processes/users (via /proc or the 'ps' > > > command). > > > > Your *environment* is visible to other users? Geez, what a broken > > system ... > > Try "ps axewww" ? Doesn't work on your platform ? > Works on AIX, Linux?, ... Linux Debian Unstable (updated 1 week ago). For a non-root user, only her processes' environment appears. (and /proc/*/environ permissions are 400, the user being the process owner) For root, all processes' environment is shown. Antonio > > > Andreas > > ---------------------------(end of broadcast)--------------------------- > TIP 5: Have you checked our extensive FAQ? > > http://www.postgresql.org/users-lounge/docs/faq.html
> > > Doug McNaught <doug@wireboard.com> writes: > > > But this way the password ends up in the environment, which on many > > > systems is visible to other processes/users (via /proc or the 'ps' > > > command). > > > > Your *environment* is visible to other users? Geez, what a broken > > system ... > > Try "ps axewww" ? Doesn't work on your platform ? > Works on AIX, Linux?, ... Works on BSD/OS too, so I assume it works on all the BSD's. -- Bruce Momjian | http://candle.pha.pa.us pgman@candle.pha.pa.us | (610) 853-3000+ If your life is a hard drive, | 830 Blythe Avenue + Christ can be your backup. | Drexel Hill, Pennsylvania19026
> Zeugswetter Andreas SB SD wrote: > > > > Doug McNaught <doug@wireboard.com> writes: > > > > But this way the password ends up in the environment, which on many > > > > systems is visible to other processes/users (via /proc or the 'ps' > > > > command). > > > > > > Your *environment* is visible to other users? Geez, what a broken > > > system ... > > > > Try "ps axewww" ? Doesn't work on your platform ? > > Works on AIX, Linux?, ... > > Linux Debian Unstable (updated 1 week ago). > > For a non-root user, only her processes' environment appears. > (and /proc/*/environ permissions are 400, the user being the process owner) > > For root, all processes' environment is shown. On BSD/OS, it doesn't matter what user you are. You can see the environment of all processes. -- Bruce Momjian | http://candle.pha.pa.us pgman@candle.pha.pa.us | (610) 853-3000+ If your life is a hard drive, | 830 Blythe Avenue + Christ can be your backup. | Drexel Hill, Pennsylvania19026
> > Try "ps axewww" ? Doesn't work on your platform ? > > Works on AIX, Linux?, ... > > Linux Debian Unstable (updated 1 week ago). > > For a non-root user, only her processes' environment appears. > (and /proc/*/environ permissions are 400, the user being the > process owner) > > For root, all processes' environment is shown. > > Antonio I've tried it on FreeBSD and it seems an unprivlileged user can only see his or her own environmental variables, it doesn't show variables for any other user. Chris
> > > Try "ps axewww" ? Doesn't work on your platform ? > > > Works on AIX, Linux?, ... > > > > Linux Debian Unstable (updated 1 week ago). > > > > For a non-root user, only her processes' environment appears. > > (and /proc/*/environ permissions are 400, the user being the > > process owner) > > > > For root, all processes' environment is shown. > > > > Antonio > > I've tried it on FreeBSD and it seems an unprivlileged user can only see his > or her own environmental variables, it doesn't show variables for any other > user. Yes, I see that now. Seems maybe my OS is the only one that isn't fixed yet. :-( Anyway, I based my dislike of passwords in the environment on prior practice of other programs. I knew one of the reasons it isn't used is because of 'ps', but there is also the issue of the passwords passed to subprocesses, across 'su' calls, and into 'core' files. It just seems like a bad practice. Passwords stored in a file, though not ideal, seems more secure, are used by cvs and a few other programs, and allow us to define a format that can be used to store different user/host/password combinations in the same file, if we wish. Of course, given that most OS's don't have the 'ps' environment problem, maybe we have to keep PGPASSWORD around. It is up to the group. Do people want me to change my wording of the option in the SGML sources? <envar>PGPASSWORD</envar> sets the password used if the backend demands password authentication. This is not recommendedbecause the password can be read by others using a <command>ps</command> environment flag on some platforms. -- Bruce Momjian | http://candle.pha.pa.us pgman@candle.pha.pa.us | (610) 853-3000+ If your life is a hard drive, | 830 Blythe Avenue + Christ can be your backup. | Drexel Hill, Pennsylvania19026