Re: Passwords and batch processes (was Re: Problem with Dump)

On Friday 23 August 2002 17:47, David F. Skoll wrote:
> On Fri, 23 Aug 2002, Ian Barwick wrote:
> > AFAIK utilities such as pg_dump prompt for the password but
> > won't accept it as a command line option, which makes password-based
> > authentication almost unusable when calling these utilities from a
> > script.
>
> This really should be Question #1 in the FAQ.
>
> You can set the environment variable PGPASSWORD to the password, and avoid
> prompts.  This assumes the same username/password has access to all the
> databases for pg_dumpall.
>
> I didn't find this documented anywhere.  It probably is, but somewhere
> buried...

here?:
http://www.postgresql.org/idocs/index.php?libpq-envars.html

The security-conscious might like to note:

"PGPASSWORD sets the password used if the backend demands password
authentication. This is not recommended because the password can be read by
others using the ps command with special options on some platforms."

(At least on FreeBSD ps can be made to show the calling user's, but no
other users' environment variables).

Should this be included in the FAQ (it doesn't seem to be) I would include
the recommendation that the permissions of any file where PGPASSWORD is set
should be checked carefully.

Ian Barwick
barwick@gmx.net