Package: fuel-web Version: 9.0+dfsg1-3 Severity: grave Tags: security Dear Maintainer,
while investigating the use of PGPASSFILE I found the following code in package fuel-web, file nailgun/tools/env_functions.sh on line 119: echo "*:*:*:${DB_ROOT}:${DB_ROOTPW}" > ${DB_ROOTPGPASS} http://sources.debian.net/src/fuel-web/9.0%2Bdfsg1-3/nailgun/tools/env_functions.sh/?hl=119#L119 This appears to be an insecure usage of the PostgreSQL (root?) password, as the command line - and with it the password - will be visible to other users. A better way to populate the file would be something like: cat <<EOF > ${DB_ROOTPGPASS} *:*:*:${DB_ROOT}:${DB_ROOTPW} EOF Regards, Carsten