Обсуждение: postgresql 8.3 logging user passwords in clear text
All:
I have a postgresql instance and I have noticed that it is logging the user passwords in clear text in the postgresql.log. Is this configurable so that it retains the user info and commands but does not log the password?
Keith
I have a postgresql instance and I have noticed that it is logging the user passwords in clear text in the postgresql.log. Is this configurable so that it retains the user info and commands but does not log the password?
Keith
On Mon, Aug 23, 2010 at 5:47 PM, Keith Pinnix <kpinnix@yahoo.com> wrote: > All: > > I have a postgresql instance and I have noticed that it is logging the user > passwords in clear text in the postgresql.log. Is this configurable so > that it retains the user info and commands but does not log the password? Got some redacted log examples?
Excerpts from Keith Pinnix's message of lun ago 23 19:47:53 -0400 2010: > All: > > I have a postgresql instance and I have noticed that it is logging the user > passwords in clear text in the postgresql.log. Is this configurable so that it > retains the user info and commands but does not log the password? In what context? If you're doing ALTER ROLE / PASSWORD with the password in clear text, then that's obviously going to show up in the log. The solution is to encrypt them client-side; for example use \password in psql to change passwords, which does that automatically. -- Álvaro Herrera <alvherre@commandprompt.com> The PostgreSQL Company - Command Prompt, Inc. PostgreSQL Replication, Consulting, Custom Development, 24x7 support
On Tue, Aug 24, 2010 at 12:20 PM, Keith Pinnix <kpinnix@yahoo.com> wrote: > Scott: > > The entries are from dblimk something like below: > > SELECT * FROM dblink('dbname=XXXXXX host=XXXXXX port=XXX user=XXXXX > password=XXXXXXX ', > > We use this feature quite a bit and this presents quite a security issue. > We are currently using 8.3. You could set up those machines to connect via trust. But yeah, dblink otherwise has passwords in the connect string.
Scott Marlowe <scott.marlowe@gmail.com> writes: > On Tue, Aug 24, 2010 at 12:20 PM, Keith Pinnix <kpinnix@yahoo.com> wrote: >> The entries are from dblimk something like below: >> �SELECT * FROM dblink('dbname=XXXXXX� host=XXXXXX port=XXX� user=XXXXX >> password=XXXXXXX ', > You could set up those machines to connect via trust. But yeah, > dblink otherwise has passwords in the connect string. Actually, the general opinion on this is that the postmaster log files have to be protected because they might contain sensitive data; *especially* so if you're enabling log_statements, but even without that. dblink passwords are just one small manifestation of the general problem. As an example, you might be inserting customers' credit card numbers or some such into your tables. Even if the log_statement mechanism understood that it should hide passwords, it's hardly likely to know that specific bits of ordinary data have security implications. IOW: you're trying to fix this in the wrong place. Secure your logfiles, don't imagine that you can prevent there being any sensitive info in them. regards, tom lane