On 6/22/19 6:00 AM, William Denton wrote: >>I guess the original question basically boils down to "Given a >>rogue/dumb app, and a DBA who neglected his job, is it PG's >>business (or even within its possibilities) to mop up ?" > > It feels like you aren't setting people up to land in the pit of success. > It's easy to sit back and call people negligent because they failed to > change settings from their defaults. Data breaches are all too common > due to mis-configured systems, we can all have a good laugh at the > poor people who have suffered breaches due to defaults that > come/came with s3, mongo and many other data stores, but why must > we operate on that level to rather than being a little more defensive? > > How is it useful in a normally configured database to return row data in > error messages? > > Is the client application supposed to parse that data? > > Must the client perform another query to discover column names and > attributes so the data can be parsed? +many I agree entirely. > I can definitely see a use for it during debugging and development where a > human has their eyes on what the database is returning, but I would argue > if you wanted that information for debugging purposes you would enable > verbose logging. Exactly. Dev and test environments it makes sense to send verbose messages to the client. In production it does not. > I have spent a few minutes searching google for terms like > "harden postgres for production" or "locking down postgres" or > "postgres production configuration". NONE mention log_error_verbosity. > Searching the postgres wiki yields no results for log_error_verbosity. Only > once you start searching for the problems caused by log_error_verbosity > can you become aware that this setting exists and should be changed in > production environments. Yet the only mention on of this parameter on any > postgres site (docs or wiki) is the one pasted below Calling people > negligent > for not knowing something, when you have failed to tell them seems > disingenuous. > > Further, the documentation for log_error_verbosity mentions nothing > about the > data returned to the client. This text is explicitly talking about the > server log. > >>Controls the amount of detail written in the server log for each > message that is >>logged. Valid values are TERSE, DEFAULT, and VERBOSE, each adding more >>fields to displayed messages. TERSE excludes the logging of DETAIL, >>HINT, QUERY, and CONTEXT error information. VERBOSE output includes the >>SQLSTATE error code (see also Appendix A) and the source code file name, >>function name, and line number that generated the error. Only > superusers can >>change this setting. > > I would suggest that row data should be reclassified as only appearing in > VERBOSE configurations as there is nothing an application client could > do with > that information, it is only useful to a human operating interactively > with the db. In my experience the log files are generally required to be locked down similarly to postgres itself, as was pointed out by (I think) Tom elsewhere on this thread. To me, logging these details to the log file is not the issue. And log files can be controlled in such a way as to protect them even from the superuser and/or be shipped off to a log collector for audit purposes. The issue is the level of detail sent to the client. There is a setting, client_min_messages, which could be used as a broad hammer to clamp what gets sent to the client except that it is user settable. I think if we made that superuser set instead it might at least be a step in the right direction, although I have not tested to see what the results of an error look like at the client in that case. Separately I previously submitted a patch to optionally redact the messages that go to the client. That would allow the client app to get the SQL error code at least, but not the message. But it was rejected in the last commitfest. See the relevant thread here: https://www.postgresql.org/message-id/flat/2811772.0XtDgEdalL@peanuts2 Joe -- Crunchy Data - http://crunchydata.com PostgreSQL Support for Secure Enterprises Consulting, Training, & Open Source Development