Обсуждение: postgresql 8.3 logging user passwords in clear text

Поиск
Список
Период
Сортировка

postgresql 8.3 logging user passwords in clear text

От
Keith Pinnix
Дата:
All:

I have a postgresql instance and I have noticed that it is logging the user passwords in clear text in the postgresql.log.   Is this configurable so that it retains the user info and commands but does not log the password?

Keith

Re: postgresql 8.3 logging user passwords in clear text

От
Scott Marlowe
Дата:
On Mon, Aug 23, 2010 at 5:47 PM, Keith Pinnix <kpinnix@yahoo.com> wrote:
> All:
>
> I have a postgresql instance and I have noticed that it is logging the user
> passwords in clear text in the postgresql.log.   Is this configurable so
> that it retains the user info and commands but does not log the password?

Got some redacted log examples?

Re: postgresql 8.3 logging user passwords in clear text

От
Alvaro Herrera
Дата:
Excerpts from Keith Pinnix's message of lun ago 23 19:47:53 -0400 2010:
> All:
>
> I have a postgresql instance and I have noticed that it is logging the user
> passwords in clear text in the postgresql.log.   Is this configurable so that it
> retains the user info and commands but does not log the password?

In what context?  If you're doing ALTER ROLE / PASSWORD with the
password in clear text, then that's obviously going to show up in the
log.  The solution is to encrypt them client-side; for example use
\password in psql to change passwords, which does that automatically.

--
Álvaro Herrera <alvherre@commandprompt.com>
The PostgreSQL Company - Command Prompt, Inc.
PostgreSQL Replication, Consulting, Custom Development, 24x7 support

Re: postgresql 8.3 logging user passwords in clear text

От
Scott Marlowe
Дата:
On Tue, Aug 24, 2010 at 12:20 PM, Keith Pinnix <kpinnix@yahoo.com> wrote:
> Scott:
>
> The entries are from dblimk something like below:
>
>  SELECT * FROM dblink('dbname=XXXXXX  host=XXXXXX port=XXX  user=XXXXX
> password=XXXXXXX ',
>
> We use this feature quite a bit and this presents quite a security issue.
> We are currently using  8.3.

You could set up those machines to connect via trust.  But yeah,
dblink otherwise has passwords in the connect string.

Re: postgresql 8.3 logging user passwords in clear text

От
Tom Lane
Дата:
Scott Marlowe <scott.marlowe@gmail.com> writes:
> On Tue, Aug 24, 2010 at 12:20 PM, Keith Pinnix <kpinnix@yahoo.com> wrote:
>> The entries are from dblimk something like below:
>> �SELECT * FROM dblink('dbname=XXXXXX� host=XXXXXX port=XXX� user=XXXXX
>> password=XXXXXXX ',

> You could set up those machines to connect via trust.  But yeah,
> dblink otherwise has passwords in the connect string.

Actually, the general opinion on this is that the postmaster log files
have to be protected because they might contain sensitive data;
*especially* so if you're enabling log_statements, but even without
that.  dblink passwords are just one small manifestation of the general
problem.  As an example, you might be inserting customers' credit card
numbers or some such into your tables.  Even if the log_statement
mechanism understood that it should hide passwords, it's hardly likely
to know that specific bits of ordinary data have security implications.

IOW: you're trying to fix this in the wrong place.  Secure your
logfiles, don't imagine that you can prevent there being any sensitive
info in them.

            regards, tom lane