Opened 10 years ago

Closed 9 years ago

Last modified 9 years ago

#23658 closed New feature (fixed)

Provide the password to PostgreSQL from "dbshell" command

Reported by: Isaac Jurado Owned by: nobody
Component: Database layer (models, ORM) Version: dev
Severity: Normal Keywords: postgresql dbshell
Cc: Loic Bistuer Triage Stage: Accepted
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: yes
Easy pickings: no UI/UX: no

Description

With the PostgreSQL Django backend, if the database configuration defines a password, it is not used by the "dbshell" command. Unlike the "mysql" command, the "psql" command accepts the password through the process environment. It would be a more uniform experience if the PostgreSQL driver behaved the same.

Also note from the attached patch that "os.execvpe()" also works on Windows, so there's no need to distinguish between the two systems.

Attachments (1)

dbshell.diff (778 bytes ) - added by Isaac Jurado 10 years ago.
Proposed fix.

Download all attachments as: .zip

Change History (13)

by Isaac Jurado, 10 years ago

Attachment: dbshell.diff added

Proposed fix.

comment:1 by Aymeric Augustin, 10 years ago

Duplicate of #19893 and #7554, which was closed as wontfix, but I'm not opposed to reconsidering since the question comes up regularly.

comment:2 by Loic Bistuer, 10 years ago

Cc: Loic Bistuer added
Easy pickings: unset
Needs documentation: set
Patch needs improvement: set
Triage Stage: UnreviewedAccepted
UI/UX: unset
Version: 1.7master

+1 for this approach, marking as accepted.

From my understanding MySQL support the MYSQL_PWD env var, wouldn't that work?

comment:3 by Isaac Jurado, 10 years ago

The mysql command clobbers the password given in the command line, so I'm not sure if the MySQL backend needs to change it. Clobbering the process environment is also possible, just as hacky as doing it in argv, however the password length is still leaked. PostgreSQL would need a patch for that, though.

On a side note, I just realized that there's no need to copy the os.environment dictionary because the page table is going to be wiped out by os.execvp anyway.

And finally, in the MySQL backend, the use of os.system on Windows can also be removed. But that probably needs a separate patch.

comment:4 by Raphaël Hertzog, 10 years ago

I would like to point out the discussion we just had on http://bugs.debian.org/781033 : namely that PGPASSWD is a deprecated feature. The correct way to handle this would be to setup a temporary password file that is then passed to the PGPASSFILE environment variable.

http://www.postgresql.org/docs/9.0/interactive/libpq-envars.html
https://stackoverflow.com/questions/6523019/postgresql-scripting-psql-execution-with-password

comment:5 by nirgal, 10 years ago

I wrote a patch at https://github.com/django/django/pull/4392

Please review it.

comment:6 by nirgal, 10 years ago

Patch needs improvement: unset

comment:7 by Markus Holtermann, 10 years ago

Patch needs improvement: set

comment:8 by Tim Graham, 10 years ago

Needs documentation: unset
Patch needs improvement: unset

comment:9 by Tim Graham, 10 years ago

Patch needs improvement: set

comment:10 by Tim Graham <timograham@…>, 9 years ago

Resolution: fixed
Status: newclosed

In b64c0d4:

Fixed #23658 -- Provided the password to PostgreSQL dbshell command

The password from settings.py is written in a temporary .pgpass file
file whose name is given to psql using the PGPASSFILE environment
variable.

comment:11 by Tim Graham <timograham@…>, 9 years ago

In b535eb3:

Refs #23658 -- Fixed unclosed file in dbshell tests.

comment:12 by Tim Graham <timograham@…>, 9 years ago

In 6bd84623:

Refs #23658 -- Fixed dbshell tests on Windows.

Note: See TracTickets for help on using tickets.
Back to Top