On Wed, Oct 14, 2009 at 6:08 PM, Tom Lane <tgl@sss.pgh.pa.us> wrote:
> Magnus Hagander <magnus@hagander.net> writes:
>> On Wed, Oct 14, 2009 at 18:25, Tom Lane <tgl@sss.pgh.pa.us> wrote:
>>> Let's see you do that (hint: "CREATD USER ... PASSWORD" is going to
>>> throw a syntax error before you realize there's anything there that
>>> might need to be protected).
>
>> I'm unsure if it's our responsibility to think about that. We can leak
>> a *lot* of sensitive information to the logs through syntax errors,
>> this is just one of them. We *do* need to worry about the statements
>> when they are sent properly, of course.
>
> Even if they're "sent properly", this entire discussion misses the point.
> The reason to not want cleartext passwords in the logs is that the user
> doesn't trust the DBA. Why would a user who doesn't trust the DBA
> want to trust him to not be running a modified copy of the database with
> all this nice logic disabled?
If you trust him that little, why would you use a password that you
also use elsewhere?
Besides, if he can run a modified version of the database, its game
over anyway. Just set pg_hba.conf's auth method to password, and you
don't even have to wait for the user to change their password - you
can grab it the next time he logs in.
--
Dave Page
EnterpriseDB UK: http://www.enterprisedb.com
