On Mon, Mar 16, 2009 at 8:50 PM, Tom Lane <t...@sss.pgh.pa.us> wrote:
> Heikki Linnakangas <heikki.linnakan...@enterprisedb.com> writes: > > Hmm, I wonder if you could do something malicious with it. > > There are any number of scenarios where exposing the client command-line > contents to other database users represents a security hole, quite > independently of whether anything falls over depending on the line > contents. (I wonder whether there are any Oracle clients that accept > a password on the command line, for instance.) Sure they let you pass the password on the command line, but they don't recommend it. Most of the utilities accept the syntax: utility user/p...@instance Just doing u...@instance will generally prompt for a password. Ahh, the number of passwords I've recovered from shell history files as a consultant... good times :) The only reason this complaint is directed to us, and not Oracle, > is that the complainant knows how far he's likely to get complaining > to Oracle :-( I don't doubt that. But, like I said, it's really a matter of the application name. In our case, Postgres falls into that corner case and we either choose to do something about it or we don't. I put the temporary solution out there for anyone that has the problem. If we want to fix it long-term, we'd have to look at one of the previously discussed alternatives to using (port). I don't particularly care one way or another, but if we were to change the ps line format, I just wanted to say that I preferred host:port rather than host(port). -- Jonah H. Harris, Senior DBA myYearbook.com
