pgweb icon indicating copy to clipboard operation
pgweb copied to clipboard

Published 20 hours ago verified publisher icon sosedoff

password visible to everyone?

Open f1-outsourcing opened this issue 1 year ago • 3 comments

You do know that supplying the password as command line argument is visible to every one? Lots of containers work with supplying configuration via environment variables

f1-outsourcing avatar Sep 29 '22 20:09 f1-outsourcing

@f1-outsourcing what exactly do you mean by every one?

Also, see https://github.com/sosedoff/pgweb/wiki/Usage#environment-variables-available for environment variables supported by the application

sosedoff avatar Sep 29 '22 21:09 sosedoff

I am blind! Totally missed this page. Everyone that can query the host ps, and some container orchestrators publish this type of information in rest end points.

Maybe put this also in the --help, that is the first thing people consult

f1-outsourcing avatar Sep 29 '22 21:09 f1-outsourcing

Gotcha - keep in mind pgweb is not meant to be run in untrusted environments, its a tool that does not have many control knobs so if you're concerned with security (ie people seeing prod credentials) - do not run pgweb on such hosts.

I'll make a note of --help modifications, thank you.

sosedoff avatar Sep 29 '22 22:09 sosedoff

This was added in #586

sosedoff avatar Nov 22 '22 22:11 sosedoff