Postgres Pro
Downloads
Home   >   mailing lists

Re: BUG #18817: Security Bug Report: Plaintext Password Exposure in Logs - Mailing list pgsql-bugs

From Laurenz Albe
Subject Re: BUG #18817: Security Bug Report: Plaintext Password Exposure in Logs
Date
Msg-id d3fe51d491e89b6a2946d8cc98a60e4d4b39c145.camel@cybertec.at
Whole thread Raw
In response to Re: BUG #18817: Security Bug Report: Plaintext Password Exposure in Logs  (Matthias Apitz <guru@unixarea.de>)
Responses Re: BUG #18817: Security Bug Report: Plaintext Password Exposure in Logs
List pgsql-bugs
Tree view 
On Wed, 2025-02-19 at 06:57 +0100, Matthias Apitz wrote:
> What do I have to configure in the PostgreSQL server to get this
> reproduced? I tried:
>
> $ psql -Usisis testdb
> psql (15.1, server 16.5)
> WARNING: psql major version 15, server major version 16.
>          Some psql features might not work.
> Type "help" for help.
>
> testdb=# CREATE USER bla WITH PASSWORD 'bla';
> CREATE ROLE
> testdb=#
>
> and have nothing in the log:
>
> $ tail /data/postgresql165/log/postgresql-2025-02-19_000000.log
> ...
>
> 2025-02-19 06:15:23.582 CET [1947] LOG:  checkpoint complete: wrote 1421 buffers (8.7%); 0 WAL file(s) added, 1
removed,0 recycled; write=142.168 s, sync=0.003 s, total=142.186 s; sync files=57, longest=0.002 s, average=0.001 s;
distance=18403kB, estimate=18403 kB; lsn=5/72470898, redo lsn=5/7246F048 
>
> I even set
>
> log_statement = 'all'
>
> and restarted the server - nothing.

Setting "log_statement" to "all", "mod" or "ddl" would do the trick.
You must have made some basic mistake.

Look at "pg_settings" what your current setting for "log_statement" is
and where it is coming from.

> The purpose of my question is to inform our 50++ PostgreSQL customers
> what they must avoid...

I'd call that an unfair bias against your younger customers.

Yours,
Laurenz Albe

--

*E-Mail Disclaimer*
Der Inhalt dieser E-Mail ist ausschliesslich fuer den
bezeichneten Adressaten bestimmt. Wenn Sie nicht der vorgesehene Adressat
dieser E-Mail oder dessen Vertreter sein sollten, so beachten Sie bitte,
dass jede Form der Kenntnisnahme, Veroeffentlichung, Vervielfaeltigung oder
Weitergabe des Inhalts dieser E-Mail unzulaessig ist. Wir bitten Sie, sich
in diesem Fall mit dem Absender der E-Mail in Verbindung zu setzen.

*CONFIDENTIALITY NOTICE & DISCLAIMER
*This message and any attachment are
confidential and may be privileged or otherwise protected from disclosure
and solely for the use of the person(s) or entity to whom it is intended.
If you have received this message in error and are not the intended
recipient, please notify the sender immediately and delete this message and
any attachment from your system. If you are not the intended recipient, be
advised that any use of this message is prohibited and may be unlawful, and
you must not copy this message or attachment or disclose the contents to
any other person.

pgsql-bugs by date:

Previous
From: Laurenz Albe
Date:
Subject: Re: Inconsistency of timezones in postgresql
Next
From: Matthias Apitz
Date:
Subject: Re: BUG #18817: Security Bug Report: Plaintext Password Exposure in Logs