Skip site navigation (1) Skip section navigation (2)

Re: BUG #5938: PostgreSQL Installer outputs log file with superuser password in clear text

From: Robert Haas <robertmhaas(at)gmail(dot)com>
To: Simon Riggs <simon(at)2ndquadrant(dot)com>
Cc: Dave Page <dpage(at)pgadmin(dot)org>, Craig Sacco <craig(dot)sacco(at)gmail(dot)com>, pgsql-bugs(at)postgresql(dot)org
Subject: Re: BUG #5938: PostgreSQL Installer outputs log file with superuser password in clear text
Date: 2011-03-22 19:57:00
Message-ID: AANLkTi=q0NrJS4w3k+2BVTDbgWfrB+g+8AVYE+OzQRU3@mail.gmail.com (view raw or flat)
Thread:
Lists: pgsql-bugs
On Tue, Mar 22, 2011 at 12:33 PM, Simon Riggs <simon(at)2ndquadrant(dot)com> wrote:
>>> This has been fixed for the next releases.
>>
>> For the sake of the archives, it should also be noted that the file is in a
>> secure directory, much as a .pgpass file would be, so this is generally only
>> an issue for the situation described above, and not when a user installs a
>> copy himself.
>
> I accept its not a worst-case problem, but we should rate the problem
> A-D as with other security issues.
> All cases should get a rating so we know what we're dealing with
>
> The problem is that the password is disclosed in a surprising way.
> .pgpass files are explicitly put there by a user, so they know what
> they've done.
>
> Putting a password in cleartext somewhere is an issue if people don't
> know about it.

I agree completely.

-- 
Robert Haas
EnterpriseDB: http://www.enterprisedb.com
The Enterprise PostgreSQL Company

In response to

pgsql-bugs by date

Next:From: Robert HaasDate: 2011-03-22 19:58:47
Subject: Re: BUG #5941: i don t understand
Previous:From: Devrim GÜNDÜZDate: 2011-03-22 19:43:35
Subject: Re: BUG #5941: i don t understand

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group