| From: | Bruce Momjian <bruce(at)momjian(dot)us> |
|---|---|
| To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
| Cc: | Steven Siebert <smsiebe(at)gmail(dot)com>, Magnus Hagander <magnus(at)hagander(dot)net>, Stephen Frost <sfrost(at)snowman(dot)net>, pgsql-bugs <pgsql-bugs(at)postgresql(dot)org> |
| Subject: | Re: BUG #10680: LDAP bind password leaks to log on failed authentication |
| Date: | 2014-10-13 15:25:52 |
| Message-ID: | 20141013152552.GX21267@momjian.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-bugs |
On Sun, Oct 12, 2014 at 03:42:10PM -0400, Tom Lane wrote:
> The right problem to be solving, to my mind, is that you feel a need
> to give access to the postmaster log to untrusted people. Now maybe
> that's just a problem of wrong administrative procedures, but let's
> consider what we might do in PG to improve your ability to do that
> safely. Perhaps what we should be entertaining is a proposal to have
> multiple log channels, some containing more security-relevant messages
> and others less so. Then you could give people the ability to read only
> the non-security-relevant messages. If we arranged for *all* messages
> relevant to pg_hba.conf to go into a secure log, it'd be a lot easier to
> convince ourselves that we would not leak any security-critical info
> than if we take the approach this patch proposes.
Uh, are we ready to output pg_hba.conf syntax errors (that might contain
passwords) to the that security channel? That seems confusing too. :-(
--
Bruce Momjian <bruce(at)momjian(dot)us> http://momjian.us
EnterpriseDB http://enterprisedb.com
+ Everyone has their own god. +
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Alvaro Herrera | 2014-10-13 18:48:13 | Re: BUG #10680: LDAP bind password leaks to log on failed authentication |
| Previous Message | Tom Lane | 2014-10-13 14:04:41 | Re: BUG #11660: TSVector not returning partial match on word "out" |