Home > mailing lists

PSQL Client command line password leak when using Connection String - Mailing list pgsql-bugs

From	Luis Díaz
Subject	PSQL Client command line password leak when using Connection String
Date	February 8, 2022 03:15:49
Msg-id	CAOvi+ke2w4LjbP2Oa5qX_W3N-vgpVegCsAKoDv3mHvY+YLdUew@mail.gmail.com Whole thread Raw
Responses	Re: PSQL Client command line password leak when using Connection String (Magnus Hagander <magnus@hagander.net>)
List	pgsql-bugs

Tree view

Hello,

In Unix, the command line of all users is public and when using a connection string, sensitive data is passed unencrypted (the password)

I think some Linux/Unix command-line utilities do clear the command line on initialization to prevent leaking sensitive information that needs to be passed over the command line.

I have tested the PSQL Client to not be clearing the password from the command line string when a non-privileged user reviews the process.

To reproduce:

psql "postgresql://postgres:password@localhost:5432/database" -c "SELECT clock_timestamp(),pg_sleep(200),clock_timestamp()" &

[220068]

ps -f -p 220068

/usr/lib/postgresql/12/bin/psql postgresql://postgres:password@localhost:5432/database

Best regards,

Luis J. Diaz

Web Developer

Attachment

Screenshot_20220208_010124.png

pgsql-bugs by date:

From: PG Bug reporting form
Date: 07 February 2022, 23:40:15
Subject: BUG #17398: Casts from BYTEA to TEXT and FLOAT4/8 to TEXT should not be immutable

From: Tom Lane
Date: 08 February 2022, 03:30:35
Subject: Re: BUG #17391: While using --with-ssl=openssl and PG_TEST_EXTRA='ssl' options, SSL tests fail on OpenBSD 7.0

PSQL Client command line password leak when using Connection String - Mailing list pgsql-bugs

Luis J. Diaz

Web Developer

Attachment

Previous

Next