postgres password appears in process table #563
Description
Container platform
OCP 4
Version
quay.io/sclorg/postgresql-15-c9s:latest from awx-operator
OS version of the container image
CentOS Stream 9
Bugzilla, Jira
No response
Description
this image runs psql with the password set on the command line. As a result it appears in the process table and is recorded by auditing tools.
eg
as deployed by awx-operator, the postgres container will execute a
psql --set ON_ERROR_STOP=1 --set=username=awx --set=password=ZTH7V8R1wg2GwI..
Reproducer
cd 16 && ; podman build -t db -f ./Dockerfile.c9s
sudo auditctl -a exit,always -F arch=x86_64 -S execve
podman run -ti -v /var/lib/pgsql/data --name db -e POSTGRESQL_USER=awx -e POSTGRESQL_PASSWORD=lepassword -e POSTGRESQL_DATABASE=awx -e POSTGRESQL_MASTER_USER=lemaster -e POSTGRESQL_MASTER_PASSWORD=lemaster -e POSTGRESQL_ADMIN_PASSWORD=more --rm db
sudo grep psql /var/log/audit/audit.log | grep lepassword
type=EXECVE msg=audit(1713081027.200:82065): argc=5 a0="psql" a1="--set" a2="ON_ERROR_STOP=1" a3="--set=username=awx" a4="--set=password=lepassword"
something in this fashion would work
--- a/16/root/usr/share/container-scripts/postgresql/start/set_passwords.sh
+++ b/16/root/usr/share/container-scripts/postgresql/start/set_passwords.sh
@@ -1,23 +1,21 @@
#!/bin/bash
-_psql () { psql --set ON_ERROR_STOP=1 "$@" ; }
+_psql () { setsid psql --set ON_ERROR_STOP=1 "$@" ; }
if [[ ",$postinitdb_actions," = *,simple_db,* ]]; then
-_psql --set=username="$POSTGRESQL_USER" \
- --set=password="$POSTGRESQL_PASSWORD" \
-<<< "ALTER USER :\"username\" WITH ENCRYPTED PASSWORD :'password';"
+(echo "${POSTGRESQL_PASSWORD}" ; echo "${POSTGRESQL_PASSWORD}"
+) | _psql --set=username="$POSTGRESQL_USER" \
+ -f <(echo '\password :username')
fiMetadata
Metadata
Assignees
Labels
No labels