Re: [PATCH] pgpassfile connection option

Andrew Dunstan <andrew@dunslane.net>

From: Andrew Dunstan <andrew@dunslane.net>
To: Julian Markwort <julian.markwort@uni-muenster.de>, pgsql-hackers@postgresql.org
Date: 2016-09-22T15:15:45Z
Lists: pgsql-hackers

On 09/22/2016 10:44 AM, Julian Markwort wrote:
> Hello psql-hackers!
>
> We thought it would be advantageous to be able to specify a 'custom' 
> pgpassfile within the connection string along the lines of the 
> existing parameters sslkey and sslcert.
>
> Which is exactly what this very compact patch does.
> The patch is minimally invasive - when no pgpassfile attribute is 
> provided in the connection string, the regular pgpassfile is used.
> The security-measures (which are limited to checking the permissions 
> for 0600) are kept, however we could loosen that restriciton to allow 
> group access as well along the lines of the ssl key file , if this is 
> preferred. (in case multiple users belonging to the same group would 
> like to connect using the same file).
>
> The patch applies cleanly to master and compiles and runs as expected 
> (as there are no critical alterations).
> I've not written any documentation as of now, but I'll follow up 
> closely if there is any interest for this patch.
>
> notes:
>  - using ~ to denote the user's home directory in the path does not 
> work, however $HOME works (as this is translated by bash beforehand).
>  - the notation in the custom pgpassfile should follow the notation of 
> the 'default' pgpass files:
>     hostname:port:database:username:password
>  - this has only been tested on linux so far, however due to the 
> nature of the changes I suspect that there is nothing that could go 
> wrong in other environments, although I could test that as well, if 
> deemed necessary.



I'm not necessarily opposed to this, but what is the advantage over the 
existing PGPASSFILE  environment setting mechanism?


cheers

andrew



Commits

  1. Allow password file name to be specified as a libpq connection parameter.