Hide command line passwords from ps

[joewalnes]

It's super convenient to be able to run pgcli like this:

$ pgcli 'host=somehost user=someuser password=somepassword'
# or
$ pgcli postgresql://someuser:somepassword@somehost

However, it enables other users on the same system to see the password by running ps, top, etc.

Some other clients (like the regular mysql client) have a cunning way to hide this: http://unix.stackexchange.com/questions/88665/how-does-ps-know-to-hide-passwords

And there's a Python package that wraps this up to make it easy: https://github.com/dvarrazzo/py-setproctitle

Although neither of these are foolproof (there's a timing attack due to a small window of opportunity between the process being started and the args being modified), it can help reduce the attack vector.

[amjith]

Looks like you have a great solution to this. Would you be willing to take a stab at it and send a PR? I'll be happy to help in anyway possible.

[joewalnes]

Sure! Looking at the code, I see two options for implementing this:

• Option 1: In the main cli() function, read sys.argv and look for anything that looks like a connection string in the entire cmd line, and hide it. This is the quickest solution.
• Option 2: Maybe this actual arg hiding should go inside the click library. Something like @click.argument('database', obscure=lambda arg: do_something(arg), ...). This will be useful to more people.

Thoughts?

[amjith]

That's a good observation. I think solution 1 is good for the short term and file an issue with click for the longer term solution.

You're right it'll be useful for others.

[jayzeng]

👍 on the feature, I (personally) don't see the need to make it a cli argument.

[amjith]

Fix released in 0.20.0.

Please upgrade:

pip install -U pgcli