mirror of
https://git.savannah.gnu.org/git/guix.git
synced 2026-04-06 21:20:33 +02:00
b657836863
The implementation of postgresql-role's password up until now relied on spawining a subshell reading the password file and passing its content via command line to a psql process which would create users and set passwords. This allowed a (fast) attacker to eavesdrop, via the kernel command line facility, the password while they were read, without having the permissions required for reading the password file. This new implementation reads passwords directly from password files into the Guile process, temporarily stores them in query files living in a memory backed file system and deletes the query files after executing them. It also makes sure to turn off logging of commands for the duration of the password setting transaction, so passwords don't get leaked to system logs through misconfiguration. * gnu/services/databases.scm (%postgresql-role-runtime-dir): New variable. (postgresql-create-roles): Rework the way passwords are set to avoid leaking them through subshells and command lines. (%postgresql-role-file-systems): New variable. (postgresql-role-service-type): Add file-system-service-type extension point. Change-Id: I52406d1d24f5d163081b5c21d3e1760fc0b67a1e