Opened 16 years ago

Closed 12 years ago

Last modified 7 years ago

#7554 closed Uncategorized (duplicate)

python manage.py dbshell does not enter password from settings.py

Reported by: Kaell <joshalto@…> Owned by: nobody
Component: Core (Management commands) Version: dev
Severity: Normal Keywords: dbshell password
Cc: mmitar@… Triage Stage: Unreviewed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

When using "python manage.py dbshell" the password from settings.py is not entered for you.

In order to read the password from settings.py one must have access to settings.py, in which case there is no security reason to not enter the password for the user. If they have read access, it should be entered for them. This is not currently the case.

This issue surely extends to django-admin.py as well as manage.py, though I have not tested this directly.

Attachments (2)

7544.patch (689 bytes ) - added by FunkyBob 12 years ago.
This (untested) patch should let postgres log in without requiring you to type your password. HOWEVER-- the PG docs note it's still a POTENTIAL SECURITY ISSUE
7554.patch (3.8 KB ) - added by FunkyBob 12 years ago.
As requested, the patch now adds a "--insecure" switch to dbshell command so you must choose to permit it.

Download all attachments as: .zip

Change History (9)

comment:1 by Malcolm Tredinnick, 16 years ago

Resolution: wontfix
Status: newclosed

Most of the database shells require the password to be entered at the prompt (i.e. via stdin). You cannot pass it on the command line. Faking out stdin input is unreliable and not particularly portable. So this isn't really possible to do. If you really don't want to have to enter the password each time, there's usually a way to set it up in the .psql or .mysql file in your home directory.

by FunkyBob, 12 years ago

Attachment: 7544.patch added

This (untested) patch should let postgres log in without requiring you to type your password. HOWEVER-- the PG docs note it's still a POTENTIAL SECURITY ISSUE

comment:2 by bradleyayers, 12 years ago

Easy pickings: unset
Resolution: wontfix
Severity: Normal
Status: closedreopened
Type: Uncategorized
UI/UX: unset

I think the issue FunkyBob raised of the PostgreSQL documentation recommending against using an environment variable to supply the password can be resolved by adding an --insecure command line argument to manage.py dbshell. This would follow the convention established by manage.py runserver.

When a user supplies the --insecure argument, they're giving consent to database backends using insecure techniques to supply the password to the database shell (e.g. using command line argument, or setting an environment variable like PostgreSQL's PGPASSWORD).

Based on this rational I'm re-opening this ticket for re-evaluation.

comment:3 by Aymeric Augustin, 12 years ago

Resolution: wontfix
Status: reopenedclosed

We've had security reports about the fact that the --insecure option of runserver is, well, insecure. No kidding. So I'm against adding the possibility to do insecure things in Django, no matter how obvious and fat the warnings are.

The ticket was closed as wontfix by Malcolm because the databases provide other, more suitable ways to supply the password. See TicketClosingReasons/DontReopenTickets.

comment:4 by Anssi Kääriäinen, 12 years ago

For PostgreSQL: We could instruct users to save the password in their .pgpass file. First try with -w (never prompt for password) if that does not succeed add a hint "Can't login without password - try saving connection information to your .pgpass file (see ... for details)". Then try again without -w.

Alternate solution is to create a temporary password file, and make sure it is not word-readable. Then, use the environment variable PGPASSFILE to use the temporary password file. It seems it should be easy to make this work on Linux, but Windows will be a bit harder (see http://docs.python.org/library/tempfile.html#tempfile.NamedTemporaryFile)

by FunkyBob, 12 years ago

Attachment: 7554.patch added

As requested, the patch now adds a "--insecure" switch to dbshell command so you must choose to permit it.

comment:5 by Mitar, 8 years ago

Cc: mmitar@… added

comment:6 by Robert Coup, 7 years ago

Since v8.1 Postgres supports the PGPASSFILE environment variable to specify an alternative location for a ~/.pgpass file. So one option is for dbshell to create a tempfile, set the file permissions to 0600, write the password into it, then destroy it after invoking psql.

https://www.postgresql.org/docs/9.6/static/libpq-pgpass.html

comment:7 by Tim Graham, 7 years ago

Resolution: wontfixduplicate

That approach was implemented in #23658.

Note: See TracTickets for help on using tickets.
Back to Top