Re: [HACKERS] TODO list updated
| От | Bruce Momjian |
|---|---|
| Тема | Re: [HACKERS] TODO list updated |
| Дата | |
| Msg-id | 200001131315.IAA25149@candle.pha.pa.us обсуждение исходный текст |
| Ответ на | Re: [HACKERS] TODO list updated (Peter Eisentraut <e99re41@DoCS.UU.SE>) |
| Ответы |
Re: [HACKERS] TODO list updated
|
| Список | pgsql-hackers |
> On Wed, 12 Jan 2000, Tom Lane wrote: > > > Note that if initdb is a shell script, then it still has to be very > > careful what it does with the password; put it in any command line > > for a program invoked by the script, and the leak is back with you. > > A C-program version of initdb would be a lot safer. But in theory you > > can pass the password to the backend without exposing it in any command > > line (put it in a data file instead, say). > > What is does is some sort of sed s/genericpassword/realpassword/ so I > guess this is not completely safe either. But something like this you'd > have to do. Can I count you in on beating Bruce into submission for an > initdb in C? ;) I will be responsible to make sure the password doesn't get into a command as an argument. sed has a -f command that will take it's regex input from a file. That is the solution, though the umask has to be set to make sure the temp file is not readable by anyone else. Most OS vendors use shell scripts for this type of thing because it doesn't have to be fast, and it is changed often. -- Bruce Momjian | http://www.op.net/~candle maillist@candle.pha.pa.us | (610) 853-3000+ If your life is a hard drive, | 830 Blythe Avenue + Christ can be your backup. | Drexel Hill, Pennsylvania19026
В списке pgsql-hackers по дате отправления: