[Python-modules-team] Bug#781033: python-django: "manage dbshell" fails to transmit settings password to postgresql

Jean-Michel Nirgal Vourgère jmv_deb at nirgal.com
Mon Mar 23 21:21:51 UTC 2015


Raphael Hertzog wrote:
> On Mon, 23 Mar 2015, Jean-Michel Nirgal Vourgère wrote:
>> (...) When one runs the generated ./manage.py with (...) "dbshell"
>> argument, django only uses host,dbname and username. Then a prompt
>> asks the user for the password.
> dbshell just runs "psql" with the appropriate parameters. psql does
> not accept a password on the command-line or in an environment variable
> (because it's unsafe, as other users can see the command line), but only
> interactively.
> Thus there is just no way to safely feed the password, short of hijacking
> the whole standard input of psql or automatically modifying ~/.pgpass (both
> possibilities look bad to me)
> (...)

Thank you for the details.

I dig a little bit, and I found a stackoverflow question [1] about psql
authentication. It points to a list of environment variable of interest at

PGPASSWORD would do the trick, but because of exposure to ps -e, that
looks like a Bad Idea™.

Another possibility is PGPASSFILE env, that provide an alternate
~/.pgpass file. I believe a temporary file would work. This wouldn't
require hacking any existing .pgpass.

It is very unlikely that an existing .pgpass file would be in required
for django to work, but we could attempt to copy its content at the
beginning of the temporary file, just to be safe.

I do agree this is a minor problem, but it would be nice if it would
work for everyone without the need of maintaining a copy of the current
password in another file.



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/python-modules-team/attachments/20150323/64d42833/attachment.sig>

More information about the Python-modules-team mailing list