| From: | Robert Haas <robertmhaas(at)gmail(dot)com> |
|---|---|
| To: | Simon Riggs <simon(at)2ndquadrant(dot)com> |
| Cc: | Dave Page <dpage(at)pgadmin(dot)org>, Craig Sacco <craig(dot)sacco(at)gmail(dot)com>, pgsql-bugs(at)postgresql(dot)org |
| Subject: | Re: BUG #5938: PostgreSQL Installer outputs log file with superuser password in clear text |
| Date: | 2011-03-22 19:57:00 |
| Message-ID: | AANLkTi=q0NrJS4w3k+2BVTDbgWfrB+g+8AVYE+OzQRU3@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-bugs |
On Tue, Mar 22, 2011 at 12:33 PM, Simon Riggs <simon(at)2ndquadrant(dot)com> wrote:
>>> This has been fixed for the next releases.
>>
>> For the sake of the archives, it should also be noted that the file is in a
>> secure directory, much as a .pgpass file would be, so this is generally only
>> an issue for the situation described above, and not when a user installs a
>> copy himself.
>
> I accept its not a worst-case problem, but we should rate the problem
> A-D as with other security issues.
> All cases should get a rating so we know what we're dealing with
>
> The problem is that the password is disclosed in a surprising way.
> .pgpass files are explicitly put there by a user, so they know what
> they've done.
>
> Putting a password in cleartext somewhere is an issue if people don't
> know about it.
I agree completely.
--
Robert Haas
EnterpriseDB: http://www.enterprisedb.com
The Enterprise PostgreSQL Company
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Robert Haas | 2011-03-22 19:58:47 | Re: BUG #5941: i don t understand |
| Previous Message | Devrim GÜNDÜZ | 2011-03-22 19:43:35 | Re: BUG #5941: i don t understand |