Security of ODBC debug log file leaves something to be desired

From: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
To: pgsql-odbc(at)postgreSQL(dot)org
Subject: Security of ODBC debug log file leaves something to be desired
Date: 2005-04-08 03:00:24
Message-ID: 24444.1112929224@sss.pgh.pa.us
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-odbc

I got a complaint here
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=154126
pointing out that when you set debug=1, the generated log file
is world-readable by default, which doesn't seem like a good
idea when it may contain your password. Also, since the name
of the file is pretty predictable, there is an opportunity
for a symlink redirection attack (though I doubt anything
really interesting could be accomplished that way).

Any thoughts about fixing this? It's hard to believe no one
has pointed it out before, so I was wondering if there was some
good reason for doing it like this.

regards, tom lane

Responses

Browse pgsql-odbc by date

  From Date Subject
Next Message Mischa Sandberg 2005-04-08 05:24:45 Re: Security of ODBC debug log file leaves something to be desired
Previous Message Robert Max Kramer 2005-04-07 18:03:47 Driver uses always UTF-8?