From 10b4b38fb43c7e8a056823798846ab8e73c8adfe Mon Sep 17 00:00:00 2001 From: Mats Kindahl Date: Thu, 21 May 2026 21:58:53 +0200 Subject: [PATCH] Unset bootstrap credentials before exec-ing the server POSTGRES_PASSWORD (and related vars) are only needed during initdb and the temporary-server initialisation phase. After that they serve no purpose, but remain in the process environment for the entire lifetime of the container, where any loaded C extension can read them via environ. Unsetting them immediately before the final exec ensures the running PostgreSQL server process starts with a clean environment. --- 14/alpine3.23/docker-entrypoint.sh | 2 ++ 14/alpine3.24/docker-entrypoint.sh | 2 ++ 14/bookworm/docker-entrypoint.sh | 2 ++ 14/trixie/docker-entrypoint.sh | 2 ++ 15/alpine3.23/docker-entrypoint.sh | 2 ++ 15/alpine3.24/docker-entrypoint.sh | 2 ++ 15/bookworm/docker-entrypoint.sh | 2 ++ 15/trixie/docker-entrypoint.sh | 2 ++ 16/alpine3.23/docker-entrypoint.sh | 2 ++ 16/alpine3.24/docker-entrypoint.sh | 2 ++ 16/bookworm/docker-entrypoint.sh | 2 ++ 16/trixie/docker-entrypoint.sh | 2 ++ 17/alpine3.23/docker-entrypoint.sh | 2 ++ 17/alpine3.24/docker-entrypoint.sh | 2 ++ 17/bookworm/docker-entrypoint.sh | 2 ++ 17/trixie/docker-entrypoint.sh | 2 ++ 18/alpine3.23/docker-entrypoint.sh | 2 ++ 18/alpine3.24/docker-entrypoint.sh | 2 ++ 18/bookworm/docker-entrypoint.sh | 2 ++ 18/trixie/docker-entrypoint.sh | 2 ++ 19/alpine3.23/docker-entrypoint.sh | 2 ++ 19/alpine3.24/docker-entrypoint.sh | 2 ++ 19/bookworm/docker-entrypoint.sh | 2 ++ 19/trixie/docker-entrypoint.sh | 2 ++ docker-entrypoint.sh | 2 ++ 25 files changed, 50 insertions(+) diff --git a/14/alpine3.23/docker-entrypoint.sh b/14/alpine3.23/docker-entrypoint.sh index d4442d8a52..8d507bc407 100755 --- a/14/alpine3.23/docker-entrypoint.sh +++ b/14/alpine3.23/docker-entrypoint.sh @@ -377,6 +377,8 @@ _main() { EOM fi + + unset "${!POSTGRES_@}" fi exec "$@" diff --git a/14/alpine3.24/docker-entrypoint.sh b/14/alpine3.24/docker-entrypoint.sh index d4442d8a52..8d507bc407 100755 --- a/14/alpine3.24/docker-entrypoint.sh +++ b/14/alpine3.24/docker-entrypoint.sh @@ -377,6 +377,8 @@ _main() { EOM fi + + unset "${!POSTGRES_@}" fi exec "$@" diff --git a/14/bookworm/docker-entrypoint.sh b/14/bookworm/docker-entrypoint.sh index d4442d8a52..8d507bc407 100755 --- a/14/bookworm/docker-entrypoint.sh +++ b/14/bookworm/docker-entrypoint.sh @@ -377,6 +377,8 @@ _main() { EOM fi + + unset "${!POSTGRES_@}" fi exec "$@" diff --git a/14/trixie/docker-entrypoint.sh b/14/trixie/docker-entrypoint.sh index d4442d8a52..8d507bc407 100755 --- a/14/trixie/docker-entrypoint.sh +++ b/14/trixie/docker-entrypoint.sh @@ -377,6 +377,8 @@ _main() { EOM fi + + unset "${!POSTGRES_@}" fi exec "$@" diff --git a/15/alpine3.23/docker-entrypoint.sh b/15/alpine3.23/docker-entrypoint.sh index d4442d8a52..8d507bc407 100755 --- a/15/alpine3.23/docker-entrypoint.sh +++ b/15/alpine3.23/docker-entrypoint.sh @@ -377,6 +377,8 @@ _main() { EOM fi + + unset "${!POSTGRES_@}" fi exec "$@" diff --git a/15/alpine3.24/docker-entrypoint.sh b/15/alpine3.24/docker-entrypoint.sh index d4442d8a52..8d507bc407 100755 --- a/15/alpine3.24/docker-entrypoint.sh +++ b/15/alpine3.24/docker-entrypoint.sh @@ -377,6 +377,8 @@ _main() { EOM fi + + unset "${!POSTGRES_@}" fi exec "$@" diff --git a/15/bookworm/docker-entrypoint.sh b/15/bookworm/docker-entrypoint.sh index d4442d8a52..8d507bc407 100755 --- a/15/bookworm/docker-entrypoint.sh +++ b/15/bookworm/docker-entrypoint.sh @@ -377,6 +377,8 @@ _main() { EOM fi + + unset "${!POSTGRES_@}" fi exec "$@" diff --git a/15/trixie/docker-entrypoint.sh b/15/trixie/docker-entrypoint.sh index d4442d8a52..8d507bc407 100755 --- a/15/trixie/docker-entrypoint.sh +++ b/15/trixie/docker-entrypoint.sh @@ -377,6 +377,8 @@ _main() { EOM fi + + unset "${!POSTGRES_@}" fi exec "$@" diff --git a/16/alpine3.23/docker-entrypoint.sh b/16/alpine3.23/docker-entrypoint.sh index d4442d8a52..8d507bc407 100755 --- a/16/alpine3.23/docker-entrypoint.sh +++ b/16/alpine3.23/docker-entrypoint.sh @@ -377,6 +377,8 @@ _main() { EOM fi + + unset "${!POSTGRES_@}" fi exec "$@" diff --git a/16/alpine3.24/docker-entrypoint.sh b/16/alpine3.24/docker-entrypoint.sh index d4442d8a52..8d507bc407 100755 --- a/16/alpine3.24/docker-entrypoint.sh +++ b/16/alpine3.24/docker-entrypoint.sh @@ -377,6 +377,8 @@ _main() { EOM fi + + unset "${!POSTGRES_@}" fi exec "$@" diff --git a/16/bookworm/docker-entrypoint.sh b/16/bookworm/docker-entrypoint.sh index d4442d8a52..8d507bc407 100755 --- a/16/bookworm/docker-entrypoint.sh +++ b/16/bookworm/docker-entrypoint.sh @@ -377,6 +377,8 @@ _main() { EOM fi + + unset "${!POSTGRES_@}" fi exec "$@" diff --git a/16/trixie/docker-entrypoint.sh b/16/trixie/docker-entrypoint.sh index d4442d8a52..8d507bc407 100755 --- a/16/trixie/docker-entrypoint.sh +++ b/16/trixie/docker-entrypoint.sh @@ -377,6 +377,8 @@ _main() { EOM fi + + unset "${!POSTGRES_@}" fi exec "$@" diff --git a/17/alpine3.23/docker-entrypoint.sh b/17/alpine3.23/docker-entrypoint.sh index d4442d8a52..8d507bc407 100755 --- a/17/alpine3.23/docker-entrypoint.sh +++ b/17/alpine3.23/docker-entrypoint.sh @@ -377,6 +377,8 @@ _main() { EOM fi + + unset "${!POSTGRES_@}" fi exec "$@" diff --git a/17/alpine3.24/docker-entrypoint.sh b/17/alpine3.24/docker-entrypoint.sh index d4442d8a52..8d507bc407 100755 --- a/17/alpine3.24/docker-entrypoint.sh +++ b/17/alpine3.24/docker-entrypoint.sh @@ -377,6 +377,8 @@ _main() { EOM fi + + unset "${!POSTGRES_@}" fi exec "$@" diff --git a/17/bookworm/docker-entrypoint.sh b/17/bookworm/docker-entrypoint.sh index d4442d8a52..8d507bc407 100755 --- a/17/bookworm/docker-entrypoint.sh +++ b/17/bookworm/docker-entrypoint.sh @@ -377,6 +377,8 @@ _main() { EOM fi + + unset "${!POSTGRES_@}" fi exec "$@" diff --git a/17/trixie/docker-entrypoint.sh b/17/trixie/docker-entrypoint.sh index d4442d8a52..8d507bc407 100755 --- a/17/trixie/docker-entrypoint.sh +++ b/17/trixie/docker-entrypoint.sh @@ -377,6 +377,8 @@ _main() { EOM fi + + unset "${!POSTGRES_@}" fi exec "$@" diff --git a/18/alpine3.23/docker-entrypoint.sh b/18/alpine3.23/docker-entrypoint.sh index d4442d8a52..8d507bc407 100755 --- a/18/alpine3.23/docker-entrypoint.sh +++ b/18/alpine3.23/docker-entrypoint.sh @@ -377,6 +377,8 @@ _main() { EOM fi + + unset "${!POSTGRES_@}" fi exec "$@" diff --git a/18/alpine3.24/docker-entrypoint.sh b/18/alpine3.24/docker-entrypoint.sh index d4442d8a52..8d507bc407 100755 --- a/18/alpine3.24/docker-entrypoint.sh +++ b/18/alpine3.24/docker-entrypoint.sh @@ -377,6 +377,8 @@ _main() { EOM fi + + unset "${!POSTGRES_@}" fi exec "$@" diff --git a/18/bookworm/docker-entrypoint.sh b/18/bookworm/docker-entrypoint.sh index d4442d8a52..8d507bc407 100755 --- a/18/bookworm/docker-entrypoint.sh +++ b/18/bookworm/docker-entrypoint.sh @@ -377,6 +377,8 @@ _main() { EOM fi + + unset "${!POSTGRES_@}" fi exec "$@" diff --git a/18/trixie/docker-entrypoint.sh b/18/trixie/docker-entrypoint.sh index d4442d8a52..8d507bc407 100755 --- a/18/trixie/docker-entrypoint.sh +++ b/18/trixie/docker-entrypoint.sh @@ -377,6 +377,8 @@ _main() { EOM fi + + unset "${!POSTGRES_@}" fi exec "$@" diff --git a/19/alpine3.23/docker-entrypoint.sh b/19/alpine3.23/docker-entrypoint.sh index d4442d8a52..8d507bc407 100755 --- a/19/alpine3.23/docker-entrypoint.sh +++ b/19/alpine3.23/docker-entrypoint.sh @@ -377,6 +377,8 @@ _main() { EOM fi + + unset "${!POSTGRES_@}" fi exec "$@" diff --git a/19/alpine3.24/docker-entrypoint.sh b/19/alpine3.24/docker-entrypoint.sh index d4442d8a52..8d507bc407 100755 --- a/19/alpine3.24/docker-entrypoint.sh +++ b/19/alpine3.24/docker-entrypoint.sh @@ -377,6 +377,8 @@ _main() { EOM fi + + unset "${!POSTGRES_@}" fi exec "$@" diff --git a/19/bookworm/docker-entrypoint.sh b/19/bookworm/docker-entrypoint.sh index d4442d8a52..8d507bc407 100755 --- a/19/bookworm/docker-entrypoint.sh +++ b/19/bookworm/docker-entrypoint.sh @@ -377,6 +377,8 @@ _main() { EOM fi + + unset "${!POSTGRES_@}" fi exec "$@" diff --git a/19/trixie/docker-entrypoint.sh b/19/trixie/docker-entrypoint.sh index d4442d8a52..8d507bc407 100755 --- a/19/trixie/docker-entrypoint.sh +++ b/19/trixie/docker-entrypoint.sh @@ -377,6 +377,8 @@ _main() { EOM fi + + unset "${!POSTGRES_@}" fi exec "$@" diff --git a/docker-entrypoint.sh b/docker-entrypoint.sh index d4442d8a52..8d507bc407 100755 --- a/docker-entrypoint.sh +++ b/docker-entrypoint.sh @@ -377,6 +377,8 @@ _main() { EOM fi + + unset "${!POSTGRES_@}" fi exec "$@"