Re: Password leakage avoidance
Peter Eisentraut <peter@eisentraut.org>
From: Peter Eisentraut <peter@eisentraut.org>
To: Joe Conway <mail@joeconway.com>,
PostgreSQL-development <pgsql-hackers@postgreSQL.org>
Cc: Dave Cramer <davecramer@postgres.rocks>
Date: 2023-12-27T20:39:48Z
Lists: pgsql-hackers
On 23.12.23 16:13, Joe Conway wrote: > I have recently, once again for the umpteenth time, been involved in > discussions around (paraphrasing) "why does Postgres leak the passwords > into the logs when they are changed". I know well that the canonical > advice is something like "use psql with \password if you care about that". > > And while that works, it is a deeply unsatisfying answer for me to give > and for the OP to receive. > > The alternative is something like "...well if you don't like that, use > PQencryptPasswordConn() to roll your own solution that meets your > security needs". > > Again, not a spectacular answer IMHO. It amounts to "here is a > do-it-yourself kit, go put it together". It occurred to me that we can, > and really should, do better. > > The attached patch set moves the guts of \password from psql into the > libpq client side -- PQchangePassword() (patch 0001). > > The usage in psql serves as a ready built-in test for the libpq function > (patch 0002). Docs included too (patch 0003). I don't follow how you get from the problem statement to this solution. This proposal doesn't avoid password leakage, does it? It just provides a different way to phrase the existing solution. Who is a potential user of this solution? Right now it just saves a dozen lines in psql, but it's not clear how it improves anything else.