We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OCP 4
quay.io/sclorg/postgresql-15-c9s:latest from awx-operator
CentOS Stream 9
No response
this image runs psql with the password set on the command line. As a result it appears in the process table and is recorded by auditing tools.
eg
postgresql-container/10/root/usr/share/container-scripts/postgresql/start/set_passwords.sh
Line 6 in d0cecca
as deployed by awx-operator, the postgres container will execute a
psql --set ON_ERROR_STOP=1 --set=username=awx --set=password=ZTH7V8R1wg2GwI..
cd 16 && ; podman build -t db -f ./Dockerfile.c9s sudo auditctl -a exit,always -F arch=x86_64 -S execve podman run -ti -v /var/lib/pgsql/data --name db -e POSTGRESQL_USER=awx -e POSTGRESQL_PASSWORD=lepassword -e POSTGRESQL_DATABASE=awx -e POSTGRESQL_MASTER_USER=lemaster -e POSTGRESQL_MASTER_PASSWORD=lemaster -e POSTGRESQL_ADMIN_PASSWORD=more --rm db sudo grep psql /var/log/audit/audit.log | grep lepassword type=EXECVE msg=audit(1713081027.200:82065): argc=5 a0="psql" a1="--set" a2="ON_ERROR_STOP=1" a3="--set=username=awx" a4="--set=password=lepassword"
something in this fashion would work
--- a/16/root/usr/share/container-scripts/postgresql/start/set_passwords.sh +++ b/16/root/usr/share/container-scripts/postgresql/start/set_passwords.sh @@ -1,23 +1,21 @@ #!/bin/bash -_psql () { psql --set ON_ERROR_STOP=1 "$@" ; } +_psql () { setsid psql --set ON_ERROR_STOP=1 "$@" ; } if [[ ",$postinitdb_actions," = *,simple_db,* ]]; then -_psql --set=username="$POSTGRESQL_USER" \ - --set=password="$POSTGRESQL_PASSWORD" \ -<<< "ALTER USER :\"username\" WITH ENCRYPTED PASSWORD :'password';" +(echo "${POSTGRESQL_PASSWORD}" ; echo "${POSTGRESQL_PASSWORD}" +) | _psql --set=username="$POSTGRESQL_USER" \ + -f <(echo '\password :username') fi
The text was updated successfully, but these errors were encountered:
Thanks for the report. This makes sense to fix. Let's take a look.
Sorry, something went wrong.
fila43
No branches or pull requests
Container platform
OCP 4
Version
quay.io/sclorg/postgresql-15-c9s:latest from awx-operator
OS version of the container image
CentOS Stream 9
Bugzilla, Jira
No response
Description
this image runs psql with the password set on the command line. As a result it appears in the process table and is recorded by auditing tools.
eg
postgresql-container/10/root/usr/share/container-scripts/postgresql/start/set_passwords.sh
Line 6 in d0cecca
as deployed by awx-operator, the postgres container will execute a
Reproducer
something in this fashion would work
The text was updated successfully, but these errors were encountered: