postgresql 8.3 logging user passwords in clear text

--0-888677344-1282607273=:14568
Content-Type: text/plain; charset=us-ascii

All:

I have a postgresql instance and I have noticed that it is logging the user
passwords in clear text in the postgresql.log. Is this configurable so that it
retains the user info and commands but does not log the password?

Keith
--0-888677344-1282607273=:14568
Content-Type: text/html; charset=us-ascii

Re: postgresql 8.3 logging user passwords in clear text

On Mon, Aug 23, 2010 at 5:47 PM, Keith Pinnix wrote:
> All:
>
> I have a postgresql instance and I have noticed that it is logging the us=
er
> passwords in clear text in the postgresql.log.   Is this configurable=
so
> that it retains the user info and commands but does not log the password?

Got some redacted log examples?

--=20
Sent via pgsql-admin mailing list (pgsql-admin@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-admin

Re: postgresql 8.3 logging user passwords in clear text

Excerpts from Keith Pinnix's message of lun ago 23 19:47:53 -0400 2010:
> All:
>=20
> I have a postgresql instance and I have noticed that it is logging the =
user=20
> passwords in clear text in the postgresql.log. Is this configurable s=
o that it=20
> retains the user info and commands but does not log the password?

In what context? If you're doing ALTER ROLE / PASSWORD with the
password in clear text, then that's obviously going to show up in the
log. The solution is to encrypt them client-side; for example use
\password in psql to change passwords, which does that automatically.

--=20
Álvaro Herrera
The PostgreSQL Company - Command Prompt, Inc.
PostgreSQL Replication, Consulting, Custom Development, 24x7 support

--=20
Sent via pgsql-admin mailing list (pgsql-admin@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-admin

Re: postgresql 8.3 logging user passwords in clear text

On Tue, Aug 24, 2010 at 12:20 PM, Keith Pinnix wrote:
> Scott:
>
> The entries are from dblimk something like below:
>
> =A0SELECT * FROM dblink('dbname=3DXXXXXX=A0 host=3DXXXXXX port=3DXXX=A0 u=
ser=3DXXXXX
> password=3DXXXXXXX ',
>
> We use this feature quite a bit and this presents quite a security issue.
> We are currently using=A0 8.3.

You could set up those machines to connect via trust. But yeah,
dblink otherwise has passwords in the connect string.

--=20
Sent via pgsql-admin mailing list (pgsql-admin@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-admin

Re: postgresql 8.3 logging user passwords in clear text

Scott Marlowe writes:
> On Tue, Aug 24, 2010 at 12:20 PM, Keith Pinnix wrote:
>> The entries are from dblimk something like below:
>>  SELECT * FROM dblink('dbname=XXXXXX  host=XXXXXX port=XXX  user=XXXXX
>> password=XXXXXXX ',

> You could set up those machines to connect via trust. But yeah,
> dblink otherwise has passwords in the connect string.

Actually, the general opinion on this is that the postmaster log files
have to be protected because they might contain sensitive data;
*especially* so if you're enabling log_statements, but even without
that. dblink passwords are just one small manifestation of the general
problem. As an example, you might be inserting customers' credit card
numbers or some such into your tables. Even if the log_statement
mechanism understood that it should hide passwords, it's hardly likely
to know that specific bits of ordinary data have security implications.

IOW: you're trying to fix this in the wrong place. Secure your
logfiles, don't imagine that you can prevent there being any sensitive
info in them.

regards, tom lane

--
Sent via pgsql-admin mailing list (pgsql-admin@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-admin