Michael Leonhard <mich...@leonhardllc.com> writes:
> I need to pass a connection string to psql inside Docker [2]. I can
> pass it as a process argument, but this exposes the password to other
> processes on my machine:
> $ docker run --rm -i -t postgres:11 psql "$(cat db_uri)"
Yeah, if you include the password in the URI :-(
> How about adding PGURI to the list of supported environment variables [3]?
That will not fix your security problem, because on a lot of OSes,
environment variables are *also* visible to other processes.
There are other practical problems with such a proposal, mainly that
it's not clear how such a variable ought to interact with existing
connection-control variables (eg, if you set both PGURI and PGHOST,
which wins?)
The only safe way to deal with a password is to have some other
out-of-band way to pass it. That's one reason for the popularity
of ~/.pgpass files. Alternatively, look into non-password
authentication methods.
regards, tom lane
