Security flaw when password is used on commandline






Thomas Bayen
April 17, 2019, 1:27 PM

I use jasperstarter to access a PostgreSQL database. AFAIS the only way to access the database is to give the password on the commandline with the -p option. This is not common in other tools and may lead to security breaches. The password can be seen by other processes on the same machine in "/proc/xxxx/cmdline" and it may be written to the bash history.

Other tools allow to have a separate file for the password store. After thinking about it (and after reading ) my idea is that a wayx to read an jasperstudio connection.xml file would be the best solution. Reading the psql standard file "~/.pgpass" may also be an idea. Or one does an separate file and we need an option to use it.

What do you think?

PS: Hi, Volker! Did not see you for a long time. I was happy to see jasperstarter. It is a great work! Thanks for doing it.

Volker Voßkämper
July 9, 2019, 4:53 PM

Hi Thomas,

sorry for late answer. It seems that the notification email went into spam...

you can use

Don't know why I did not mention it in the forum...

I did not take a look at that connection.xml till now. Is there any benefit compared too the command file. (the command file is a feature of the parser library used by JasperStarter

Storing passwords in files has always a bad taste...

Database connections are unencrypted, so hiding the password of the configuration solves only half of the problem

Any help is always welcome

Best Regards


Volker Voßkämper


Thomas Bayen