Greg Smith <gsmith@gregsmith.com> writes:
> In your typical shell nowadays the echo command is a built-in one--it
> executes directly rather than calling a separate echo binary, so it won't
> leak what you tell it onto a command line. That means this line in a
> script would be simplest way to do this that's not completely insecure:
> echo "create user foo password 'secret'" | psql ...
And if we haven't given you a headache yet:
There's a similar risk even after you've securely sent the command
to the database server: it will be transiently exposed in
pg_stat_activity, and perhaps permanently logged in the postmaster log.
Now the audience that can see either of those things is hopefully
smaller than "everyone on the machine", but still it's not very nice
if you don't want anyone else to know the cleartext of your password.
The way to deal with this is to pre-encrypt the password before you send
it over to the server. Both the createuser program and psql's \password
command do it that way. Unfortunately it looks like they both insist on
reading the password from /dev/tty, so if you want to script this, you'd
be stuck with making a special-purpose program that didn't.
regards, tom lane
