The implementation of postgresql-role's password up until now relied on
spawining a subshell reading the password file and passing its content
via command line to a psql process which would create users and set
passwords. This allowed a (fast) attacker to eavesdrop, via the kernel
command line facility, the password while they were read,
without having the permissions required for reading the password
file.
This new implementation reads passwords directly from password files
into the Guile process, temporarily stores them in query files living in
a memory backed file system and deletes the query files after executing
them. It also makes sure to turn off logging of commands for the
duration of the password setting transaction, so passwords don't get
leaked to system logs through misconfiguration.
* gnu/services/databases.scm (%postgresql-role-runtime-dir): New
variable.
(postgresql-create-roles): Rework the way passwords are set to avoid
leaking them through subshells and command lines.
(%postgresql-role-file-systems): New variable.
(postgresql-role-service-type): Add file-system-service-type extension
point.
Change-Id: I52406d1d24f5d163081b5c21d3e1760fc0b67a1e
b657836863