Opened 7 years ago

Closed 3 years ago

Last modified 3 years ago

#7554 closed Uncategorized (wontfix)

python manage.py dbshell does not enter password from settings.py

Reported by: Kaell <joshalto@…> Owned by: nobody
Component: Core (Management commands) Version: master
Severity: Normal Keywords: dbshell password
Cc: Triage Stage: Unreviewed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

When using "python manage.py dbshell" the password from settings.py is not entered for you.

In order to read the password from settings.py one must have access to settings.py, in which case there is no security reason to not enter the password for the user. If they have read access, it should be entered for them. This is not currently the case.

This issue surely extends to django-admin.py as well as manage.py, though I have not tested this directly.

Attachments (2)

7544.patch (689 bytes) - added by FunkyBob 3 years ago.
This (untested) patch should let postgres log in without requiring you to type your password. HOWEVER-- the PG docs note it's still a POTENTIAL SECURITY ISSUE
7554.patch (3.8 KB) - added by FunkyBob 3 years ago.
As requested, the patch now adds a "--insecure" switch to dbshell command so you must choose to permit it.

Download all attachments as: .zip

Change History (6)

comment:1 Changed 7 years ago by mtredinnick

  • Needs documentation unset
  • Needs tests unset
  • Patch needs improvement unset
  • Resolution set to wontfix
  • Status changed from new to closed

Most of the database shells require the password to be entered at the prompt (i.e. via stdin). You cannot pass it on the command line. Faking out stdin input is unreliable and not particularly portable. So this isn't really possible to do. If you really don't want to have to enter the password each time, there's usually a way to set it up in the .psql or .mysql file in your home directory.

Changed 3 years ago by FunkyBob

This (untested) patch should let postgres log in without requiring you to type your password. HOWEVER-- the PG docs note it's still a POTENTIAL SECURITY ISSUE

comment:2 Changed 3 years ago by bradleyayers

  • Easy pickings unset
  • Resolution wontfix deleted
  • Severity set to Normal
  • Status changed from closed to reopened
  • Type set to Uncategorized
  • UI/UX unset

I think the issue FunkyBob raised of the PostgreSQL documentation recommending against using an environment variable to supply the password can be resolved by adding an --insecure command line argument to manage.py dbshell. This would follow the convention established by manage.py runserver.

When a user supplies the --insecure argument, they're giving consent to database backends using insecure techniques to supply the password to the database shell (e.g. using command line argument, or setting an environment variable like PostgreSQL's PGPASSWORD).

Based on this rational I'm re-opening this ticket for re-evaluation.

comment:3 Changed 3 years ago by aaugustin

  • Resolution set to wontfix
  • Status changed from reopened to closed

We've had security reports about the fact that the --insecure option of runserver is, well, insecure. No kidding. So I'm against adding the possibility to do insecure things in Django, no matter how obvious and fat the warnings are.

The ticket was closed as wontfix by Malcolm because the databases provide other, more suitable ways to supply the password. See TicketClosingReasons/DontReopenTickets.

comment:4 Changed 3 years ago by akaariai

For PostgreSQL: We could instruct users to save the password in their .pgpass file. First try with -w (never prompt for password) if that does not succeed add a hint "Can't login without password - try saving connection information to your .pgpass file (see ... for details)". Then try again without -w.

Alternate solution is to create a temporary password file, and make sure it is not word-readable. Then, use the environment variable PGPASSFILE to use the temporary password file. It seems it should be easy to make this work on Linux, but Windows will be a bit harder (see http://docs.python.org/library/tempfile.html#tempfile.NamedTemporaryFile)

Changed 3 years ago by FunkyBob

As requested, the patch now adds a "--insecure" switch to dbshell command so you must choose to permit it.

Note: See TracTickets for help on using tickets.
Back to Top