BUG #10680 - ldapbindpasswd leaks to postgresql log
Hello,
Attached is a proposed patch for BUG #10680.
It's a simple fix to the problem of the ldapbindpasswd leaking in
clear text to the postgresql log. The patch simply removes the raw
pg_hba.conf line from the log message, but retains the log line number
to assist admins in troubleshooting.
The patch is against the master branch and compiles/tests green.
Please let me know if there is anything I can do to get this worked
into the next (or perhaps current?) commit fest. This is a critical
issue for us to meet government accreditation (security) requirements.
Thanks,
Steve
Attachments:
bug_10680_v1.patchapplication/octet-stream; name=bug_10680_v1.patchDownload
diff --git a/src/backend/libpq/auth.c b/src/backend/libpq/auth.c
index 70b0b93..56d5581 100644
--- a/src/backend/libpq/auth.c
+++ b/src/backend/libpq/auth.c
@@ -272,8 +272,8 @@ auth_failed(Port *port, int status, char *logdetail)
break;
}
- cdetail = psprintf(_("Connection matched pg_hba.conf line %d: \"%s\""),
- port->hba->linenumber, port->hba->rawline);
+ cdetail = psprintf(_("Connection matched pg_hba.conf line %d"),
+ port->hba->linenumber);
if (logdetail)
logdetail = psprintf("%s\n%s", logdetail, cdetail);
else
Steven Siebert <smsiebe@gmail.com> writes:
Attached is a proposed patch for BUG #10680.
It's a simple fix to the problem of the ldapbindpasswd leaking in
clear text to the postgresql log. The patch simply removes the raw
pg_hba.conf line from the log message, but retains the log line number
to assist admins in troubleshooting.
You haven't exactly explained why this is a problem. The proposed patch
would impede diagnosing of many other problems, so it's not going to get
committed without a thoroughly compelling rationale.
Hint: "I don't store my postmaster log securely" is not compelling.
We've been over that ground before; there are far too many reasons
why access to the postmaster log is a potential security hazard
to justify concluding that this particular one is worse.
regards, tom lane
--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers
On Wed, Jun 18, 2014 at 4:50 AM, Tom Lane <tgl@sss.pgh.pa.us> wrote:
Steven Siebert <smsiebe@gmail.com> writes:
Attached is a proposed patch for BUG #10680.
It's a simple fix to the problem of the ldapbindpasswd leaking in
clear text to the postgresql log. The patch simply removes the raw
pg_hba.conf line from the log message, but retains the log line number
to assist admins in troubleshooting.You haven't exactly explained why this is a problem. The proposed patch
would impede diagnosing of many other problems, so it's not going to get
committed without a thoroughly compelling rationale.
Yes, properly logging that was intentional, in commit
7f49a67f954db3e92fd96963169fb8302959576e.
Hint: "I don't store my postmaster log securely" is not compelling.
We've been over that ground before; there are far too many reasons
why access to the postmaster log is a potential security hazard
to justify concluding that this particular one is worse.
Yeah, and the password is already in cleartext in a file next to it.
If we actually feel the need to get rid of it, we should do a better job.
Such as actively blanking it out with something else. Since we know the
password (we parsed it out), it shouldn't be impossible to actually blank
out *just the password*, without ruining all the other diagnostics usage of
it.
--
Magnus Hagander
Me: http://www.hagander.net/
Work: http://www.redpill-linpro.com/