Re: BUG #10680: LDAP bind password leaks to log on failed authentication

On Sun, Oct 12, 2014 at 03:42:10PM -0400, Tom Lane wrote:
> The right problem to be solving, to my mind, is that you feel a need
> to give access to the postmaster log to untrusted people.  Now maybe
> that's just a problem of wrong administrative procedures, but let's
> consider what we might do in PG to improve your ability to do that
> safely.  Perhaps what we should be entertaining is a proposal to have
> multiple log channels, some containing more security-relevant messages
> and others less so.  Then you could give people the ability to read only
> the non-security-relevant messages.  If we arranged for *all* messages
> relevant to pg_hba.conf to go into a secure log, it'd be a lot easier to
> convince ourselves that we would not leak any security-critical info
> than if we take the approach this patch proposes.

Uh, are we ready to output pg_hba.conf syntax errors (that might contain
passwords) to the that security channel?  That seems confusing too.  :-(

--
  Bruce Momjian  <bruce@momjian.us>        http://momjian.us
  EnterpriseDB                             http://enterprisedb.com

  + Everyone has their own god. +