Unset bootstrap credentials before exec-ing the server

mkindahl · mkindahl · commit 1b0356fd954e · 2026-05-21T21:59:36.000+02:00
POSTGRES_PASSWORD (and related vars) are only needed during initdb and
the temporary-server initialisation phase. After that they serve no
purpose, but remain in the process environment for the entire lifetime
of the container, where any loaded C extension can read them via
environ.

Unsetting them immediately before the final exec ensures the running
PostgreSQL server process starts with a clean environment.
diff --git a/docker-entrypoint.sh b/docker-entrypoint.sh
@@ -379,6 +379,7 @@ _main() {
 		fi
 	fi
 
+	unset POSTGRES_PASSWORD POSTGRES_USER POSTGRES_DB POSTGRES_INITDB_ARGS
 	exec "$@"
 }
 

Original file line number	Diff line number	Diff line change
`@@ -379,6 +379,7 @@ _main() {`
`379`	`379`	`fi`
`380`	`380`	`fi`
`381`	`381`
	`382`	`+ unset POSTGRES_PASSWORD POSTGRES_USER POSTGRES_DB POSTGRES_INITDB_ARGS`
`382`	`383`	`exec "$@"`
`383`	`384`	`}`
`384`	`385`