I do not have access to a Postgres installation, so I cannot check.
I am a security guy, and I'm seeing plaintext passwords in the logs:
create user user1 with password 'PLAINTEXT PASSWORD'
How can the DBAs change or create their passwords without the password in the clear in the logs?
I've seen this, which states you can use an md5 hash of the password, but then the hash is also in the clear. Is there a better way?
Best Answer
It sounds like
log_statement
is set toall
.If you wish to prevent passwords from appearing in the logs while
log_statement
is set to a value that capturesALTER USER
/ALTER ROLE
then you'll want to override that when changing passwords. e.g.You must be a superuser to do this. Normal users cannot override logging rules.
It would be nice if PostgreSQL supported flagging some parameters to statements (or even functions) as security-sensitive and allowed users to request that they be masked in logs,
pg_stat_statements
,pg_stat_activity
, etc. There is not currently any such feature - but hey, patches are welcome. If you're genuinely interested, post on pgsql-hackers before writing any actual code so you can get advice and comments, though. Alternately, speak to someone who does contract development.In general PostgreSQL expects you to treat the logs as sensitive.
There are other areas where logging is a serious security concern. For example some of the
pgcrypto
functions take crypto keys as parameters.