vsql -w password: how secure?

How secure is using the "-w" option to vsql? I don't see the password in the Linux process list using the "ps" command. Is Vertica somehow obfuscating the password in the command line? If so, how secure is that?


  • Options
    In general very secure. The password is not listed in the process list as you noted. It also is not stored in clear text in any vertica files (configuration, catalog, or logs). And interfaces like the admintools which let you get to vsql mask the password as you type it. Of note: If you lose the dbadmin password there is no method of retrieving it, as that would be a security violation. If you lose any other user's password you can go in as dbadmin and you can't retrieve it but you can change it.

    The one place you can see it, and this is out of Vertica's control, is the command history at the OS level as shown below. Even this is somewhat ok because it's specific to the user, so unless someone has the password to log as the user they shouldn't be able to get to the history to see the vsql command and the password for the db.

    [dbadmin@n4 ~]$ history | grep vsql
      999* vsql -d test -U dbadmin -w 'vertpwd'

    The other places of possible concern, typically customizations, would be:
    - if you have any automation scripts that run vsql they might have the password in clear text so they should be permission masked accordingly.
    - if you have set up a vbr.py config file for backups/restores/copydatabase and you've chosen to store the password vs. be prompted for it.
    - if you're using the clients (odbc, jdbc, or ADO.Net) and you store a password vs prompting.

  • Options
    Thanks Steve!
  • Options
    We are having issues with password showing up in logs because it is part of the command.  Is there any way we can load the password from a config file so that it is not exposed this way?
  • Options
    Would something like this be what you need Jason  ( vsql -U user -w 'cat /etc/vertica_password' -f file.sql  ? 

  • Options
    No, the actual command ends up still being the same and shows up in ps/logging/etc with the actual password.
    > sleep 'echo 1' | ps -o command | grep leep
    sleep 1

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file