The following bug has been logged on the website:
Bug reference: 15930
Logged by: Georg Sauthoff
Email address: postgres-bug@gms.tf
PostgreSQL version: 11.4
Operating system: Linux
Description:
Under Linux, when supplying the password via PGPASSWORD to the psql command
the password can be easily retrieved from the /proc/$pid/environ pseudo file
(or indirectly with e.g. `ps ae`) - for the complete runtime of the psql
process.
Test case:
# Terminal 1
$ PGPASSWORD='geheim' psql -h 127.0.0.1 --user juser -d juser
# Terminal 2
$ < /proc/$psqlpid/environ tr '\0' '\n' | grep PGPASSWORD
Expected output:
PGPASSWORD=xxxxxx
Actual output:
PGPASSWORD=geheim
See my gist for a minimal example that demonstrate how to redact the
password on linux:
https://gist.github.com/gsauthof/3efc1a7865fb70517ed741169b3bf11d
Redacting the password can be seen as a defense-in-depth measure.
It improves the security in use cases like this one:
A batch job script starts some long running psql processes. To avoid having
to enter the password several times, the script just asks once for the
password and then supplies it to each psql process in the PGPASSWORD
variable. Now the user forgets to lock his screen and leaves his desk. A
novice attacker present in the same office could now easily look up the
password in `/proc/$pid/environ` or - say - by executing `ps ae`.
