Package: fuel-web
Version: 9.0+dfsg1-3
Severity: grave
Tags: security
Dear Maintainer,
while investigating the use of PGPASSFILE I found the following code in
package fuel-web, file nailgun/tools/env_functions.sh on line 119:
echo "*:*:*:${DB_ROOT}:${DB_ROOTPW}" > ${DB_ROOTPGPASS}
http://sources.debian.net/src/fuel-web/9.0%2Bdfsg1-3/nailgun/tools/env_functions.sh/?hl=119#L119
This appears to be an insecure usage of the PostgreSQL (root?) password,
as the command line - and with it the password - will be visible to
other users.
A better way to populate the file would be something like:
cat <<EOF > ${DB_ROOTPGPASS}
*:*:*:${DB_ROOT}:${DB_ROOTPW}
EOF
Regards,
Carsten
