From: | Stephen Frost <sfrost(at)snowman(dot)net> |
---|---|
To: | Magnus Hagander <magnus(at)hagander(dot)net> |
Cc: | Steven Siebert <smsiebe(at)gmail(dot)com>, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, pgsql-bugs <pgsql-bugs(at)postgresql(dot)org> |
Subject: | Re: BUG #10680: LDAP bind password leaks to log on failed authentication |
Date: | 2014-06-19 16:09:01 |
Message-ID: | 20140619160901.GW16098@tamriel.snowman.net |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-bugs |
* Magnus Hagander (magnus(at)hagander(dot)net) wrote:
> On Thu, Jun 19, 2014 at 5:37 PM, Stephen Frost <sfrost(at)snowman(dot)net> wrote:
> > I actually don't really see a huge problem with 1, but I need to go
> > review the thread in more detail...
>
> The reason the raw line was added in the first place was debugging cases
> where the running pg_hba.conf might not be the same as the one in the
> filesystem - either because of a reload not being done, or a reload of a
> broken file.
erm, not entirely convinced that's a great reason to log the whole line,
but..
> I think 3 is a good option of these, assuming we can do it in a reasonably
> good way.
I'd be fine with this approach. I'd definitely like to see this
addressed in some manner because it's, clearly, not going to go away as
a request (I remember dealing with similar issues quite a few years ago
and all the arguments about how it "should" be ok to log passwords
didn't fly and we ended up having to address it also).
Thanks,
Stephen
From | Date | Subject | |
---|---|---|---|
Next Message | Tom Lane | 2014-06-19 16:35:42 | Re: Re: [REVIEW] Re: Re: BUG #9578: Undocumented behaviour for temp tables created inside query language (SQL) functions |
Previous Message | Magnus Hagander | 2014-06-19 15:39:28 | Re: BUG #10680: LDAP bind password leaks to log on failed authentication |