Thread: Deprecating plans for PGPASSWORD environment variable as insecure

Deprecating plans for PGPASSWORD environment variable as insecure

From
Alexey Murz Korepov
Date:
MySQL in version have deprecated the `MYSQL_PWD` environment variable, because they considers this way as insecure, quote from https://dev.mysql.com/doc/refman/8.0/en/environment-variables.html#idm45429554761920:

>  Use of MYSQL_PWD to specify a MySQL password must be considered extremely insecure and should not be used. Some versions of ps include an option to display the environment of running processes. On some systems, if you set MYSQL_PWD, your password is exposed to any other user who runs ps. Even on systems without such a version of ps, it is unwise to assume that there are no other methods by which users can examine process environments.

So I want to ask - is there the same plan for PostgreSQL with it's `PGPASSWORD` environment variable for future versions, or will it stay as non-deprecated for future versions, and we can continue to use it without worrying?

--
Best regards,
Alexey Murz Korepov.
E-mail: murznn@gmail.com
Messengers: Matrix - https://matrix.to/#/@murz:ru-matrix.org Telegram - @MurzNN

Re: Deprecating plans for PGPASSWORD environment variable as insecure

From
Pavel Stehule
Date:
Hi

po 27. 12. 2021 v 9:55 odesílatel Alexey Murz Korepov <murznn@gmail.com> napsal:
MySQL in version have deprecated the `MYSQL_PWD` environment variable, because they considers this way as insecure, quote from https://dev.mysql.com/doc/refman/8.0/en/environment-variables.html#idm45429554761920:

>  Use of MYSQL_PWD to specify a MySQL password must be considered extremely insecure and should not be used. Some versions of ps include an option to display the environment of running processes. On some systems, if you set MYSQL_PWD, your password is exposed to any other user who runs ps. Even on systems without such a version of ps, it is unwise to assume that there are no other methods by which users can examine process environments.

So I want to ask - is there the same plan for PostgreSQL with it's `PGPASSWORD` environment variable for future versions, or will it stay as non-deprecated for future versions, and we can continue to use it without worrying?

 I don't remember any discussion about it. In the documentation is note, so this way is not preferred

PGPASSWORD behaves the same as the password connection parameter. Use of this environment variable is not recommended for security reasons, as some operating systems allow non-root users to see process environment variables via ps; instead consider using a password file (see Section 34.16).


Regards

Pavel


--
Best regards,
Alexey Murz Korepov.
E-mail: murznn@gmail.com
Messengers: Matrix - https://matrix.to/#/@murz:ru-matrix.org Telegram - @MurzNN