Re: [patch] fix dblink security hole

Marko Kreen wrote:
> On 9/21/08, Tom Lane <tgl@sss.pgh.pa.us> wrote:
>> Joe Conway <mail@joeconway.com> writes:
>>> Good point -- I'll look into that and post something tomorrow. How does
>>  > "requirepassword" sound for the option? It is consistent with
>>  > "requiressl" but a bit long and hard to read. Maybe "require_password"?
>>
>>
>> Well, no, because it's not requiring a password.
>>
>>  Perhaps "ignore_pgpass"?
> 
> You need to ignore pg_service also.  (And PGPASSWORD)

Why? pg_service does not appear to support wildcards, so what is the 
attack vector?

And on PGPASSWORD, the fine manual says the following:
  PGPASSWORD sets the password used if the server demands password  authentication. Use of this environment variable is
notrecommended  for security reasons (some operating systems allow non-root users to  see process environment variables
viaps); instead consider using the  ~/.pgpass file (see Section 30.13).
 

At the moment the only real issue I can see is .pgpass when wildcards 
are used for hostname:port:database.

Joe