Home > mailing lists

Re: Concurrent psql patch - Mailing list pgsql-patches

From	Heikki Linnakangas
Subject	Re: Concurrent psql patch
Date	May 18, 2007 12:12:13
Msg-id	464D9808.5000701@enterprisedb.com Whole thread Raw
In response to	Re: Concurrent psql patch ("Pavan Deolasee" <pavan.deolasee@gmail.com>)
List	pgsql-patches

Tree view

Pavan Deolasee wrote:
> --- 1179,1189 ----
>                              dbname, user, password);
>
>        /* We can immediately discard the password -- no longer needed */
> !       if (password)
> !       {
> !           memset(password, '\0', strlen(password));
>            free(password);
> +       }
>
>
> Any reason why we do this ? "password" is anyways freed.  I think you
> might have left it behind after some debugging exercise.

I believe it's for security reasons. If that memory page is for example
swapped to disk after freeing the field, the password would be written
to the swapfile. Someone who steals your laptop would be able to recover
it from there. Clearing passwords from memory when they're no longer
needed is a good practice.

--
   Heikki Linnakangas
   EnterpriseDB   http://www.enterprisedb.com

pgsql-patches by date:

From: Heikki Linnakangas
Date: 18 May 2007, 12:07:15
Subject: Re: Maintaining cluster order on insert

From: "Pavel Stehule"
Date: 18 May 2007, 13:02:07
Subject: Re: Updateable cursors patch

Re: Concurrent psql patch - Mailing list pgsql-patches

Previous

Next