From: | Alvaro Herrera <alvherre(at)2ndquadrant(dot)com> |
---|---|
To: | Bruce Momjian <bruce(at)momjian(dot)us> |
Cc: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Steven Siebert <smsiebe(at)gmail(dot)com>, Magnus Hagander <magnus(at)hagander(dot)net>, Stephen Frost <sfrost(at)snowman(dot)net>, pgsql-bugs <pgsql-bugs(at)postgresql(dot)org> |
Subject: | Re: BUG #10680: LDAP bind password leaks to log on failed authentication |
Date: | 2014-10-13 18:48:13 |
Message-ID: | 20141013184812.GY7043@eldon.alvh.no-ip.org |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-bugs |
Bruce Momjian wrote:
> On Sun, Oct 12, 2014 at 03:42:10PM -0400, Tom Lane wrote:
> > The right problem to be solving, to my mind, is that you feel a need
> > to give access to the postmaster log to untrusted people. Now maybe
> > that's just a problem of wrong administrative procedures, but let's
> > consider what we might do in PG to improve your ability to do that
> > safely. Perhaps what we should be entertaining is a proposal to have
> > multiple log channels, some containing more security-relevant messages
> > and others less so. Then you could give people the ability to read only
> > the non-security-relevant messages. If we arranged for *all* messages
> > relevant to pg_hba.conf to go into a secure log, it'd be a lot easier to
> > convince ourselves that we would not leak any security-critical info
> > than if we take the approach this patch proposes.
>
> Uh, are we ready to output pg_hba.conf syntax errors (that might contain
> passwords) to the that security channel? That seems confusing too. :-(
I don't see why it would be confusing. The rule would be along the
lines of "if there's a problem parsing pg_hba.conf, log to the security
channel". It doesn't matter that the actual contents being logged turn
out not to be security sensitive; it's enough that they *could be*.
If this seems confusing, an idea is to log a generic "parse errors in
pg_hba.conf, see security.log for details" to the standard log channel.
But this doesn't seem necessary to me.
--
Álvaro Herrera http://www.2ndQuadrant.com/
PostgreSQL Development, 24x7 Support, Training & Services
From | Date | Subject | |
---|---|---|---|
Next Message | Bruce Momjian | 2014-10-13 19:40:10 | Re: BUG #11325: Documentation Bug / RFE |
Previous Message | Bruce Momjian | 2014-10-13 15:25:52 | Re: BUG #10680: LDAP bind password leaks to log on failed authentication |