| From: | Laurenz Albe <laurenz(dot)albe(at)cybertec(dot)at> |
|---|---|
| To: | Matthias Apitz <guru(at)unixarea(dot)de>, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
| Cc: | Indrajeeth Deshmukh <bkindrajeeth(at)gmail(dot)com>, David Rowley <dgrowleyml(at)gmail(dot)com>, pgsql-bugs(at)lists(dot)postgresql(dot)org |
| Subject: | Re: BUG #18817: Security Bug Report: Plaintext Password Exposure in Logs |
| Date: | 2025-02-19 08:58:17 |
| Message-ID: | d3fe51d491e89b6a2946d8cc98a60e4d4b39c145.camel@cybertec.at |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-bugs |
On Wed, 2025-02-19 at 06:57 +0100, Matthias Apitz wrote:
> What do I have to configure in the PostgreSQL server to get this
> reproduced? I tried:
>
> $ psql -Usisis testdb
> psql (15.1, server 16.5)
> WARNING: psql major version 15, server major version 16.
> Some psql features might not work.
> Type "help" for help.
>
> testdb=# CREATE USER bla WITH PASSWORD 'bla';
> CREATE ROLE
> testdb=#
>
> and have nothing in the log:
>
> $ tail /data/postgresql165/log/postgresql-2025-02-19_000000.log
> ...
>
> 2025-02-19 06:15:23.582 CET [1947] LOG: checkpoint complete: wrote 1421 buffers (8.7%); 0 WAL file(s) added, 1 removed, 0 recycled; write=142.168 s, sync=0.003 s, total=142.186 s; sync files=57, longest=0.002 s, average=0.001 s; distance=18403 kB, estimate=18403 kB; lsn=5/72470898, redo lsn=5/7246F048
>
> I even set
>
> log_statement = 'all'
>
> and restarted the server - nothing.
Setting "log_statement" to "all", "mod" or "ddl" would do the trick.
You must have made some basic mistake.
Look at "pg_settings" what your current setting for "log_statement" is
and where it is coming from.
> The purpose of my question is to inform our 50++ PostgreSQL customers
> what they must avoid...
I'd call that an unfair bias against your younger customers.
Yours,
Laurenz Albe
--
*E-Mail Disclaimer*
Der Inhalt dieser E-Mail ist ausschliesslich fuer den
bezeichneten Adressaten bestimmt. Wenn Sie nicht der vorgesehene Adressat
dieser E-Mail oder dessen Vertreter sein sollten, so beachten Sie bitte,
dass jede Form der Kenntnisnahme, Veroeffentlichung, Vervielfaeltigung oder
Weitergabe des Inhalts dieser E-Mail unzulaessig ist. Wir bitten Sie, sich
in diesem Fall mit dem Absender der E-Mail in Verbindung zu setzen.
*CONFIDENTIALITY NOTICE & DISCLAIMER
*This message and any attachment are
confidential and may be privileged or otherwise protected from disclosure
and solely for the use of the person(s) or entity to whom it is intended.
If you have received this message in error and are not the intended
recipient, please notify the sender immediately and delete this message and
any attachment from your system. If you are not the intended recipient, be
advised that any use of this message is prohibited and may be unlawful, and
you must not copy this message or attachment or disclose the contents to
any other person.
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Matthias Apitz | 2025-02-19 10:00:31 | Re: BUG #18817: Security Bug Report: Plaintext Password Exposure in Logs |
| Previous Message | Laurenz Albe | 2025-02-19 08:53:01 | Re: Inconsistency of timezones in postgresql |