From: | Scott Marlowe <scott(dot)marlowe(at)gmail(dot)com> |
---|---|
To: | Don Seiler <don(at)seiler(dot)us> |
Cc: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, pgsql-admin <pgsql-admin(at)postgresql(dot)org> |
Subject: | Re: Passwords in clear text in server log |
Date: | 2017-10-11 15:33:41 |
Message-ID: | CAOR=d=0-vy+W=FrcHxd7dCX=Nob-VqkB-=Gmz+QxYriCuqJUTg@mail.gmail.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-admin |
On Wed, Oct 11, 2017 at 9:22 AM, Don Seiler <don(at)seiler(dot)us> wrote:
> On Wed, Oct 11, 2017 at 9:48 AM, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
>>
>> Don Seiler <don(at)seiler(dot)us> writes:
>> > When I run a CREATE USER or ALTER USER statement and set a password for
>> > a
>> > user, that statement gets printed to the server log, along with the
>> > password, IN CLEAR TEXT.
>>
>> This is why psql has provisions for encrypting a new password on the
>> client side --- see \password.
>
>
> That's nice to have that option, but why even make it an option? If this is
> a dead horse that was finished being beaten years ago, my apologies. I'm
> curious what other non-psql clients do when allowing a user to change their
> password, I've only ever tried it with psql on the local DB host.
>
>> More generally, almost any SQL command might contain data that somebody
>> thinks is sensitive for some purpose or other. If you're going to log
>> commands, it behooves you to make sure the log is not widely readable.
>
>
> I strongly disagree. Sure, I might have HIPAA or financial data but we're
> talking about database user security here. Why would we *ever* want that
> logged to server logs? Regardless of if it was initially transmitted over
> the wire in plain text or whatever else the client/user can control, there
> should never be a reason to log that value in clear text (IMHO). It seems
> like it would only ever be a liability. Log the CREATE/ALTER user command
> (according to the log_statement value) but mask the password.
FYI our standard hack here is to run
set log_statement='none';
alter user ...
I do agree it would be nice to have postgres stamp out the password
field with *** when logging though
From | Date | Subject | |
---|---|---|---|
Next Message | Tom Lane | 2017-10-11 15:37:36 | Re: Passwords in clear text in server log |
Previous Message | Don Seiler | 2017-10-11 15:22:31 | Re: Passwords in clear text in server log |