"Joshua D. Drake" <j...@commandprompt.com> writes: > On 07/18/2018 04:25 PM, Tom Lane wrote: >> This is exactly the kind of area in which I'm concerned for the >> possibility of sloppily-written scripts being a net negative for >> security.
> Although I appreciate the concern, can we not worried about this? Your > argument basically boils down to: Dumb will be Dumb. That will not > change no matter what we do as is obvious by the number of people STILL > using postgres as their connected web app user. The usability of this > feature if fleshed out correctly is pretty large. Sorry, I don't buy that line of argument. The *only* reason for this feature to exist is if it allows ready creation of security solutions that are actually more secure than a non-world-readable .pgpass file. That's a much higher bar than many people realize to begin with ... and if it comes along with huge risk of security foot-guns, I do not think that it's going to be a net advance. One reason I'd like to see a concrete use-case (or several concrete use-cases) is that we might then find some design that's less prone to such mistakes than "here, run this shell script" is going to be. I'm vaguely imagining exec'ing a program directly without a layer of shell quoting/evaluation in between; but not sure how far that gets us. Another question that ought to be asked somewhere along here is "how well does this work on Windows?" ... regards, tom lane