Обсуждение: Password as a command line argument to createuser
Hi, I need to write a script that creates a new user with a password automatically. Is there a way I can specify the password as a command line argument to createuser? It looks like postgres does not read from stdin, but from /dev/tty. Thanks
Jane Ren wrote: > Hi, > > I need to write a script that creates a new user with a password > automatically. > > Is there a way I can specify the password as a command line argument to > createuser? > Since you have access to the shell use psql -U user -c "create role ..." Joshua D. Drake > It looks like postgres does not read from stdin, but from /dev/tty. > > Thanks > > ---------------------------(end of broadcast)--------------------------- > TIP 4: Have you searched our list archives? > > http://archives.postgresql.org/ >
"Jane Ren" <j2ren@ucsd.edu> writes: > Is there a way I can specify the password as a command line argument to > createuser? No, and it would be a really bad idea if you could, as the password would be exposed to everyone else on the machine (via "ps") while createuser runs. There are various ways to do this securely, but putting the password on a program's command line isn't one of them. I'd suggest looking at how psql's \password command does it. regards, tom lane
am Tue, dem 18.12.2007, um 22:04:13 -0800 mailte Jane Ren folgendes: > Hi, > > I need to write a script that creates a new user with a password > automatically. > > Is there a way I can specify the password as a command line argument to > createuser? From a unix shell? You can call psql with -c "your command". Try this: psql -U ... database -c "create user foo password 'secret';" Regards, Andreas -- Andreas Kretschmer Kontakt: Heynitz: 035242/47150, D1: 0160/7141639 (mehr: -> Header) GnuPG-ID: 0x3FFF606C, privat 0x7F4584DA http://wwwkeys.de.pgp.net
On Wed, 19 Dec 2007, A. Kretschmer wrote: > psql -U ... database -c "create user foo password 'secret';" This seems like a reasonable example, but it will also show the password you're assigning on the command line to anybody who happens to run ps, which is the reason why this isn't allowed by createuser in the first place. In your typical shell nowadays the echo command is a built-in one--it executes directly rather than calling a separate echo binary, so it won't leak what you tell it onto a command line. That means this line in a script would be simplest way to do this that's not completely insecure: echo "create user foo password 'secret'" | psql ... This is not recommended on the command line (I think other people can still see the whole thing), but in a script I believe others just see the psql executing against standard input. Of course you need the surrounding script to not do the wrong thing either, where the wrong thing includes any approach where you put the password on the command line. Last time I had to do a batch creation of a bunch of accounts I put them into a file with the format "username:password", read that directly from the shell (a good sample to borrow from for that part is http://www.askdavetaylor.com/how_do_i_read_lines_of_data_in_a_shell_script.html ) and used echo | psql as above to create them. This is not an approach I'd want to use as a long-term tool, but for hacking something together it's not an awful way to do it. Like all questions with security implications, I highly recommend you believe nothing I said above and confirm each suggestion through your own research and testing. -- * Greg Smith gsmith@gregsmith.com http://www.gregsmith.com Baltimore, MD
Greg Smith <gsmith@gregsmith.com> writes: > In your typical shell nowadays the echo command is a built-in one--it > executes directly rather than calling a separate echo binary, so it won't > leak what you tell it onto a command line. That means this line in a > script would be simplest way to do this that's not completely insecure: > echo "create user foo password 'secret'" | psql ... And if we haven't given you a headache yet: There's a similar risk even after you've securely sent the command to the database server: it will be transiently exposed in pg_stat_activity, and perhaps permanently logged in the postmaster log. Now the audience that can see either of those things is hopefully smaller than "everyone on the machine", but still it's not very nice if you don't want anyone else to know the cleartext of your password. The way to deal with this is to pre-encrypt the password before you send it over to the server. Both the createuser program and psql's \password command do it that way. Unfortunately it looks like they both insist on reading the password from /dev/tty, so if you want to script this, you'd be stuck with making a special-purpose program that didn't. regards, tom lane
On Wed, Dec 19, 2007 at 10:38:52AM -0500, Tom Lane wrote: > reading the password from /dev/tty, so if you want to script this, you'd > be stuck with making a special-purpose program that didn't. But given that passwords are sort of awful in this way anyway, why not use something designed not to have this problem, like Kerberos? Especially now that someone has been doing the work to make Kerberos play nicely in the latest and greatest ways? A