Security flaw when password is used on commandline

Description

None

Environment

None

Activity

Show:
Thomas Bayen
April 17, 2019, 1:27 PM

I use jasperstarter to access a PostgreSQL database. AFAIS the only way to access the database is to give the password on the commandline with the -p option. This is not common in other tools and may lead to security breaches. The password can be seen by other processes on the same machine in "/proc/xxxx/cmdline" and it may be written to the bash history.

Other tools allow to have a separate file for the password store. After thinking about it (and after reading https://sourceforge.net/p/jasperstarter/discussion/general/thread/7145360df8/ ) my idea is that a wayx to read an jasperstudio connection.xml file would be the best solution. Reading the psql standard file "~/.pgpass" may also be an idea. Or one does an separate file and we need an option to use it.

What do you think?

PS: Hi, Volker! Did not see you for a long time. I was happy to see jasperstarter. It is a great work! Thanks for doing it.

Volker Voßkämper
July 9, 2019, 4:53 PM

Hi Thomas,

sorry for late answer. It seems that the notification email went into spam...

you can use
http://jasperstarter.cenote.de/usage.html#Command_files

Don't know why I did not mention it in the forum...

I did not take a look at that connection.xml till now. Is there any benefit compared too the command file. (the command file is a feature of the parser library used by JasperStarter https://argparse4j.github.io/usage.html#fromfileprefix).

Storing passwords in files has always a bad taste...

Database connections are unencrypted, so hiding the password of the configuration solves only half of the problem

Any help is always welcome

Best Regards
Volker

Assignee

Volker Voßkämper

Reporter

Thomas Bayen

Labels

None

Priority

Major
Configure