Re: BUG #10680: LDAP bind password leaks to log on failed authentication

Bruce Momjian wrote:
> On Sun, Oct 12, 2014 at 03:42:10PM -0400, Tom Lane wrote:
> > The right problem to be solving, to my mind, is that you feel a need
> > to give access to the postmaster log to untrusted people.  Now maybe
> > that's just a problem of wrong administrative procedures, but let's
> > consider what we might do in PG to improve your ability to do that
> > safely.  Perhaps what we should be entertaining is a proposal to have
> > multiple log channels, some containing more security-relevant messages
> > and others less so.  Then you could give people the ability to read only
> > the non-security-relevant messages.  If we arranged for *all* messages
> > relevant to pg_hba.conf to go into a secure log, it'd be a lot easier to
> > convince ourselves that we would not leak any security-critical info
> > than if we take the approach this patch proposes.
>
> Uh, are we ready to output pg_hba.conf syntax errors (that might contain
> passwords) to the that security channel?  That seems confusing too.  :-(

I don't see why it would be confusing.  The rule would be along the
lines of "if there's a problem parsing pg_hba.conf, log to the security
channel".  It doesn't matter that the actual contents being logged turn
out not to be security sensitive; it's enough that they *could be*.

If this seems confusing, an idea is to log a generic "parse errors in
pg_hba.conf, see security.log for details" to the standard log channel.
But this doesn't seem necessary to me.

--
Álvaro Herrera                http://www.2ndQuadrant.com/
PostgreSQL Development, 24x7 Support, Training & Services