Hello,
In Unix, the command line of all users is public and when using a connection string, sensitive data is passed unencrypted (the password)
I think some Linux/Unix command-line utilities do clear the command line on initialization to prevent leaking sensitive information that needs to be passed over the command line.
I have tested the PSQL Client to not be clearing the password from the command line string when a non-privileged user reviews the process.
To reproduce:
psql "postgresql://postgres:password@localhost:5432/database" -c "SELECT clock_timestamp(),pg_sleep(200),clock_timestamp()" &
[220068]
ps -f -p 220068
/usr/lib/postgresql/12/bin/psql postgresql://postgres:password@localhost:5432/database
This is not a function of PostgreSQL, but one of your operating system. If the operating system that shows this information, not PostgreSQL. There is no way that psql (or other tools) could know if what you pass is sensitive -- you could just as well have put sensitive data in the query for -c, for example.
That said, you shouldn't be putting your password on the commandline if you are not in a secure environment. PostgreSQL provides multiple different ways to pass the password, such as an environment variable or the .pgpass file.
//Magnus
