Passwords in clear text in server log

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

When I run a CREATE USER or ALTER USER statement and set a password for a user, that statement gets printed to the server log, along with the password, IN CLEAR TEXT. For example:

2017-10-11 09:20:40 CDT [19024]: [3-1] db=postgres,user=postgres,app=psql,client=[local] LOG:  statement: CREATE USER foo PASSWORD 'bar';
2017-10-11 09:20:42 CDT [19024]: [4-1] db=postgres,user=postgres,app=psql,client=[local] LOG:  statement: ALTER USER foo PASSWORD 'boo123';

These seems like a really bad security bug. Regardless of what other log statement settings you may have, there should never be a reason to print a password in plain text to the logs.

This was in Postgres 9.6.4.

Don.

--
Don Seiler
www.seiler.us
[Index of Archives]     [KVM ARM]     [KVM ia64]     [KVM ppc]     [Virtualization Tools]     [Spice Development]     [Libvirt]     [Libvirt Users]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite Questions]     [Linux Kernel]     [Linux SCSI]     [XFree86]

  Powered by Linux