postgresbugs wrote:
>
>
> Tom Lane wrote:
>
>>The point here is that if
>>PGPASSWORD is passed down to psql as an environmental variable, it is
>>visible as part of psql's environment for the entire run of psql.
>>Whatever the calling script does later doesn't remove that window of
>>vulnerability.
[...]
> And, yes I do understand that for the brief period the environmental
> variable could possibly be visible on some platforms, but even Windows
> has the local directive which makes the variable far more secure.
The window is much longer than that. As Tom said, for PGPASSWORD to work
it has to be present in the environment of the psql process -- that's
how psql gets the password! That environment may be visible to other
users of the system, depending on the OS. psql could remove the password
after use, I suppose, but that just narrows the window.
IMO *any* window of vulnerability is unacceptable -- it opens up any
periodic or triggerable process to an attacker who tries to get the
timing just right (not impossible to do if you can also slow down the
system you are attacking to widen the window..)
PGPASSWORD is just a bad idea as a general mechanism. We need some other
way.
-O