public inbox for [email protected]
help / color / mirror / Atom feedRe: What are best practices wrt passwords?
6+ messages / 4 participants
[nested] [flat]
* Re: What are best practices wrt passwords?
@ 2024-10-16 16:33 Bruce Momjian <[email protected]>
2024-10-16 16:47 ` Re: What are best practices wrt passwords? Tom Lane <[email protected]>
0 siblings, 1 reply; 6+ messages in thread
From: Bruce Momjian @ 2024-10-16 16:33 UTC (permalink / raw)
To: [email protected]; +Cc: Dominique Devienne <[email protected]>; pgsql-general
On Wed, Oct 16, 2024 at 06:16:57PM +0200, [email protected] wrote:
> On 2024-10-16, at 14:41, Dominique Devienne <[email protected]> wrote:
>
> > On Wed, Oct 16, 2024 at 2:25 PM <[email protected]> wrote:
> >> I'd like to be able to use psql without typing passwords again and
> >> again. I know about `.pgpass` and PGPASSFILE, but I specifically do not
> >> want to use it - I have the password in the `.env` file, and having it
> >> in _two_ places comes with its own set of problems, like how to make
> >> sure they don't get out of sync.
> >
> > What's wrong with PGPASSWORD?
> > https://www.postgresql.org/docs/current/libpq-envars.html
>
> `ps auxe` shows all processes with their environments, no?
I think that only shows for super-user.
--
Bruce Momjian <[email protected]> https://momjian.us
EDB https://enterprisedb.com
When a patient asks the doctor, "Am I going to die?", he means
"Am I going to die soon?"
^ permalink raw reply [nested|flat] 6+ messages in thread
* Re: What are best practices wrt passwords?
2024-10-16 16:33 Re: What are best practices wrt passwords? Bruce Momjian <[email protected]>
@ 2024-10-16 16:47 ` Tom Lane <[email protected]>
2024-10-16 16:50 ` Re: What are best practices wrt passwords? Christophe Pettus <[email protected]>
0 siblings, 1 reply; 6+ messages in thread
From: Tom Lane @ 2024-10-16 16:47 UTC (permalink / raw)
To: Bruce Momjian <[email protected]>; +Cc: [email protected]; Dominique Devienne <[email protected]>; pgsql-general
Bruce Momjian <[email protected]> writes:
> On Wed, Oct 16, 2024 at 06:16:57PM +0200, [email protected] wrote:
>> `ps auxe` shows all processes with their environments, no?
> I think that only shows for super-user.
I believe it depends on your platform --- some BSDen are pretty
permissive about this, if memory serves. On a Linux box it seems
to work for processes owned by yourself even if you're not superuser.
regards, tom lane
^ permalink raw reply [nested|flat] 6+ messages in thread
* Re: What are best practices wrt passwords?
2024-10-16 16:33 Re: What are best practices wrt passwords? Bruce Momjian <[email protected]>
2024-10-16 16:47 ` Re: What are best practices wrt passwords? Tom Lane <[email protected]>
@ 2024-10-16 16:50 ` Christophe Pettus <[email protected]>
2024-10-16 21:27 ` Re: What are best practices wrt passwords? Peter J. Holzer <[email protected]>
0 siblings, 1 reply; 6+ messages in thread
From: Christophe Pettus @ 2024-10-16 16:50 UTC (permalink / raw)
To: Tom Lane <[email protected]>; +Cc: Bruce Momjian <[email protected]>; [email protected]; Dominique Devienne <[email protected]>; pgsql-general
> On Oct 16, 2024, at 09:47, Tom Lane <[email protected]> wrote:
> I believe it depends on your platform --- some BSDen are pretty
> permissive about this, if memory serves. On a Linux box it seems
> to work for processes owned by yourself even if you're not superuser.
I just tried it on an (admittedly kind of old) Ubuntu system and MacOS 14, and it looks like shows everything owned by everyone, even from a non-sudoer user.
^ permalink raw reply [nested|flat] 6+ messages in thread
* Re: What are best practices wrt passwords?
2024-10-16 16:33 Re: What are best practices wrt passwords? Bruce Momjian <[email protected]>
2024-10-16 16:47 ` Re: What are best practices wrt passwords? Tom Lane <[email protected]>
2024-10-16 16:50 ` Re: What are best practices wrt passwords? Christophe Pettus <[email protected]>
@ 2024-10-16 21:27 ` Peter J. Holzer <[email protected]>
2024-10-16 21:37 ` Re: What are best practices wrt passwords? Bruce Momjian <[email protected]>
2024-10-16 22:03 ` Re: What are best practices wrt passwords? Tom Lane <[email protected]>
0 siblings, 2 replies; 6+ messages in thread
From: Peter J. Holzer @ 2024-10-16 21:27 UTC (permalink / raw)
To: [email protected]
On 2024-10-16 09:50:41 -0700, Christophe Pettus wrote:
> > On Oct 16, 2024, at 09:47, Tom Lane <[email protected]> wrote:
> > I believe it depends on your platform --- some BSDen are pretty
> > permissive about this, if memory serves. On a Linux box it seems
> > to work for processes owned by yourself even if you're not superuser.
>
> I just tried it on an (admittedly kind of old) Ubuntu system and MacOS
> 14, and it looks like shows everything owned by everyone, even from a
> non-sudoer user.
On Linux, unprivileged users can only see the environment of their own
processes since a *very* long time ago. Possibly even before Ubuntu even
existed. So I'm somewhat sceptical about that. Some other Unixes were
more permissive. I don't know what camp MacOS falls into.
hp
--
_ | Peter J. Holzer | Story must make more sense than reality.
|_|_) | |
| | | [email protected] | -- Charles Stross, "Creative writing
__/ | http://www.hjp.at/ | challenge!"
Attachments:
[application/pgp-signature] signature.asc (833B, 2-signature.asc)
download
^ permalink raw reply [nested|flat] 6+ messages in thread
* Re: What are best practices wrt passwords?
2024-10-16 16:33 Re: What are best practices wrt passwords? Bruce Momjian <[email protected]>
2024-10-16 16:47 ` Re: What are best practices wrt passwords? Tom Lane <[email protected]>
2024-10-16 16:50 ` Re: What are best practices wrt passwords? Christophe Pettus <[email protected]>
2024-10-16 21:27 ` Re: What are best practices wrt passwords? Peter J. Holzer <[email protected]>
@ 2024-10-16 21:37 ` Bruce Momjian <[email protected]>
1 sibling, 0 replies; 6+ messages in thread
From: Bruce Momjian @ 2024-10-16 21:37 UTC (permalink / raw)
To: [email protected]
On Wed, Oct 16, 2024 at 11:27:15PM +0200, Peter J. Holzer wrote:
> On 2024-10-16 09:50:41 -0700, Christophe Pettus wrote:
> > > On Oct 16, 2024, at 09:47, Tom Lane <[email protected]> wrote:
> > > I believe it depends on your platform --- some BSDen are pretty
> > > permissive about this, if memory serves. On a Linux box it seems
> > > to work for processes owned by yourself even if you're not superuser.
> >
> > I just tried it on an (admittedly kind of old) Ubuntu system and MacOS
> > 14, and it looks like shows everything owned by everyone, even from a
> > non-sudoer user.
>
> On Linux, unprivileged users can only see the environment of their own
> processes since a *very* long time ago. Possibly even before Ubuntu even
> existed. So I'm somewhat sceptical about that. Some other Unixes were
> more permissive. I don't know what camp MacOS falls into.
Yes, I thought this was fixed long ago.
--
Bruce Momjian <[email protected]> https://momjian.us
EDB https://enterprisedb.com
When a patient asks the doctor, "Am I going to die?", he means
"Am I going to die soon?"
^ permalink raw reply [nested|flat] 6+ messages in thread
* Re: What are best practices wrt passwords?
2024-10-16 16:33 Re: What are best practices wrt passwords? Bruce Momjian <[email protected]>
2024-10-16 16:47 ` Re: What are best practices wrt passwords? Tom Lane <[email protected]>
2024-10-16 16:50 ` Re: What are best practices wrt passwords? Christophe Pettus <[email protected]>
2024-10-16 21:27 ` Re: What are best practices wrt passwords? Peter J. Holzer <[email protected]>
@ 2024-10-16 22:03 ` Tom Lane <[email protected]>
1 sibling, 0 replies; 6+ messages in thread
From: Tom Lane @ 2024-10-16 22:03 UTC (permalink / raw)
To: Peter J. Holzer <[email protected]>; +Cc: [email protected]
"Peter J. Holzer" <[email protected]> writes:
> On Linux, unprivileged users can only see the environment of their own
> processes since a *very* long time ago. Possibly even before Ubuntu even
> existed. So I'm somewhat sceptical about that. Some other Unixes were
> more permissive. I don't know what camp MacOS falls into.
I poked at that on current macOS (Sequoia). The rule for unprivileged
users seems to be the same as on Linux: you can see the environment
variables of processes belonging to you. What is really interesting
is that "sudo ps auxwwe" and "ps auxwwe" have the same results: you
can still see only your own processes' environment variables. The
sole exception when I tried it was that under sudo the root-owned "ps"
command showed its own environment variables, which is pretty bizarre.
Looks like the test is not actually on the reported process ownership
but some inherited property.
To confuse matters even more, another machine that's running Sequoia
but with SIP turned off acts more like Linux: "sudo ps auxwwe" shows
environment variables for everything. So Apple's marching to their
own drummer as usual, but it doesn't look like there's any case where
they are more permissive than the Linux rule. I'm still not convinced
about whether all *BSD flavors match that, though.
regards, tom lane
^ permalink raw reply [nested|flat] 6+ messages in thread
end of thread, other threads:[~2024-10-16 22:03 UTC | newest]
Thread overview: 6+ messages (download: mbox mbox.gz follow: Atom feed)
-- links below jump to the message on this page --
2024-10-16 16:33 Re: What are best practices wrt passwords? Bruce Momjian <[email protected]>
2024-10-16 16:47 ` Tom Lane <[email protected]>
2024-10-16 16:50 ` Christophe Pettus <[email protected]>
2024-10-16 21:27 ` Peter J. Holzer <[email protected]>
2024-10-16 21:37 ` Bruce Momjian <[email protected]>
2024-10-16 22:03 ` Tom Lane <[email protected]>
This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox