From: | Don Seiler <don(at)seiler(dot)us> |
---|---|
To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
Cc: | pgsql-admin <pgsql-admin(at)postgresql(dot)org> |
Subject: | Re: Passwords in clear text in server log |
Date: | 2017-10-11 15:22:31 |
Message-ID: | CAHJZqBAtBvHuMh5mF66hj-P9sb4hhps1Nv7aR-iZG-90SS8_0Q@mail.gmail.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-admin |
On Wed, Oct 11, 2017 at 9:48 AM, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
> Don Seiler <don(at)seiler(dot)us> writes:
> > When I run a CREATE USER or ALTER USER statement and set a password for a
> > user, that statement gets printed to the server log, along with the
> > password, IN CLEAR TEXT.
>
> This is why psql has provisions for encrypting a new password on the
> client side --- see \password.
>
That's nice to have that option, but why even make it an option? If this
is a dead horse that was finished being beaten years ago, my apologies. I'm
curious what other non-psql clients do when allowing a user to change their
password, I've only ever tried it with psql on the local DB host.
More generally, almost any SQL command might contain data that somebody
> thinks is sensitive for some purpose or other. If you're going to log
> commands, it behooves you to make sure the log is not widely readable.
I strongly disagree. Sure, I might have HIPAA or financial data but we're
talking about database user security here. Why would we *ever* want that
logged to server logs? Regardless of if it was initially transmitted over
the wire in plain text or whatever else the client/user can control, there
should never be a reason to log that value in clear text (IMHO). It seems
like it would only ever be a liability. Log the CREATE/ALTER user command
(according to the log_statement value) but mask the password.
--
Don Seiler
www.seiler.us
From | Date | Subject | |
---|---|---|---|
Next Message | Scott Marlowe | 2017-10-11 15:33:41 | Re: Passwords in clear text in server log |
Previous Message | Tom Lane | 2017-10-11 14:48:33 | Re: Passwords in clear text in server log |