Re: BUG #10680: LDAP bind password leaks to log on failed authentication

Steven Siebert <smsiebe(at)gmail(dot)com> writes:
> Agreed. In our situation (government), though, we must export out
> logs to enterprise logging services where auditors (that wouldn't
> otherwise have access to the server/process) would be able to see it.

The thing is that the postmaster logs will certainly contain all manner
of sensitive information. A few examples:

* Occasionally, people mess up and enter their username as their password
and vice versa. Logging of connection failures, or indeed mere logging of
error messages, will therefore expose their password --- admittedly, not
identified as such, but if you see a subsequent successful connection you
know whose it was.

* Logging of queries is likely to expose sensitive user data in the form
of constants in the queries, eg "INSERT INTO customers (name, address,
credit_card_number) VALUES (...)". Even if you're not logging all
queries, failed queries could still expose such data.

* An example pretty directly connected to yours is that people have
complained about how statement logging will capture "ALTER USER joe
WITH PASSWORD 'joes-new-password'".

So basically, making the logs safe to show to untrusted auditors is a
fool's errand. You need to deal with this problem in some other,
nontechnical, way. IOW, why exactly don't you trust the auditors,
and how will you fix that?

regards, tom lane