diff options
| author | Bryn M. Reeves <bmr@redhat.com> | 2014-08-21 18:29:50 +0100 |
|---|---|---|
| committer | Bryn M. Reeves <bmr@redhat.com> | 2014-08-21 21:53:25 +0100 |
| commit | 7cdc1deabaeae226b498da74e1f60302f8a68a26 (patch) | |
| tree | 820c84747c7c6519db4ef8c8f8b2aa2910fbc0f7 | |
| parent | a917f43659f0b8c10b520fc7e4c285f9649e5ba5 (diff) | |
| download | sos-7cdc1deabaeae226b498da74e1f60302f8a68a26.tar.gz | |
[postgresql] obtain PGPASSWORD from the environment
Allow the value of PGPASSWORD to be inherited from the
environment. This prevents the password being exposed in command
line parameters that may be visible to other users on the system.
Signed-off-by: Bryn M. Reeves <bmr@redhat.com>
| -rw-r--r-- | sos/plugins/postgresql.py | 17 |
1 files changed, 11 insertions, 6 deletions
diff --git a/sos/plugins/postgresql.py b/sos/plugins/postgresql.py index 9bdbf236..87a07d0f 100644 --- a/sos/plugins/postgresql.py +++ b/sos/plugins/postgresql.py @@ -33,10 +33,12 @@ class PostgreSQL(Plugin): tmp_dir = None + password_warn_text = " (password visible in process listings)" + option_list = [ ('pghome', 'PostgreSQL server home directory.', '', '/var/lib/pgsql'), ('username', 'username for pg_dump', '', 'postgres'), - ('password', 'password for pg_dump', '', ''), + ('password', 'password for pg_dump' + password_warn_text, '', ''), ('dbname', 'database name to dump for pg_dump', '', ''), ('dbhost', 'database hostname/IP (do not use unix socket)', '', ''), ('dbport', 'database server port number', '', '5432') @@ -44,8 +46,12 @@ class PostgreSQL(Plugin): def pg_dump(self): dest_file = os.path.join(self.tmp_dir, "sos_pgdump.tar") - old_env_pgpassword = os.environ.get("PGPASSWORD") - os.environ["PGPASSWORD"] = self.get_option("password") + # We're only modifying this for ourself and our children so there + # is no need to save and restore environment variables if the user + # decided to pass the password on the command line. + if self.get_option("password") is not None: + os.environ["PGPASSWORD"] = self.get_option("password") + if self.get_option("dbhost"): cmd = "pg_dump -U %s -h %s -p %s -w -f %s -F t %s" % ( self.get_option("username"), @@ -60,9 +66,8 @@ class PostgreSQL(Plugin): dest_file, self.get_option("dbname") ) + result = self.call_ext_prog(cmd) - if old_env_pgpassword is not None: - os.environ["PGPASSWORD"] = str(old_env_pgpassword) if (result['status'] == 0): self.add_copy_spec(dest_file) else: @@ -76,7 +81,7 @@ class PostgreSQL(Plugin): def setup(self): if self.get_option("dbname"): - if self.get_option("password"): + if self.get_option("password") or "PGPASSWORD" in os.environ: self.tmp_dir = tempfile.mkdtemp() self.pg_dump() else: |