snippetsqlModerate
How do I hide sensitive information like plaintext passwords from the logs?
Viewed 0 times
fromthelogspasswordslikehowsensitivehideplaintextinformation
Problem
I do not have access to a Postgres installation, so I cannot check.
I am a security guy, and I'm seeing plaintext passwords in the logs:
How can the DBAs change or create their passwords without the password in the clear in the logs?
I've seen this, which states you can use an md5 hash of the password, but then the hash is also in the clear. Is there a better way?
I am a security guy, and I'm seeing plaintext passwords in the logs:
create user user1 with password 'PLAINTEXT PASSWORD'How can the DBAs change or create their passwords without the password in the clear in the logs?
I've seen this, which states you can use an md5 hash of the password, but then the hash is also in the clear. Is there a better way?
Solution
Always prepare password digests client-side
If practical in your environment, use
This pre-hashes the password client-side with
Other client drivers may have their own implementations, and if not, it's pretty simple to implement based using the client crypto libraries of your choice.
Hiding passwords (or digests) from logs
It sounds like
Unfortunately (AFAIK) postgres doesn't special case
Ideally the libpq protocol would support a "sensitive" flag on bind params, and would support parameter binding for
If you wish to prevent passwords from appearing in the logs while
You must be a superuser to do this. Normal users cannot override logging rules.
It would be nice if PostgreSQL supported flagging some parameters to statements (or even functions) as security-sensitive and allowed users to request that they be masked in logs,
In general PostgreSQL expects you to treat the logs as sensitive.
There are other areas where logging is a serious security concern. For example some of the
If practical in your environment, use
psql's \password command, or the underlying libpq function PQencryptPasswordConn(...) (src).This pre-hashes the password client-side with
scram-sha-256 (assuming a modern postgres) then sends it with ALTER USER ... PASSWORD ....Other client drivers may have their own implementations, and if not, it's pretty simple to implement based using the client crypto libraries of your choice.
Hiding passwords (or digests) from logs
It sounds like
log_statement is set to all.Unfortunately (AFAIK) postgres doesn't special case
ALTER USER ... PASSWORD so there's no strong guarantee made that the hashed password won't get logged.Ideally the libpq protocol would support a "sensitive" flag on bind params, and would support parameter binding for
ALTER USER/ALTER ROLE statements. But it doesn't, and the server doesn't proactively mask out the password in the querytext either, so we get to work around it.If you wish to prevent passwords from appearing in the logs while
log_statement is set to a value that captures ALTER USER / ALTER ROLE then you'll want to override that when changing passwords. e.g.BEGIN;
SET LOCAL log_statement = 'none';
ALTER USER ... SET PASSWORD ...;
COMMIT;You must be a superuser to do this. Normal users cannot override logging rules.
It would be nice if PostgreSQL supported flagging some parameters to statements (or even functions) as security-sensitive and allowed users to request that they be masked in logs,
pg_stat_statements, pg_stat_activity, etc. There is not currently any such feature - but hey, patches are welcome. If you're genuinely interested, post on pgsql-hackers before writing any actual code so you can get advice and comments, though. Alternately, speak to someone who does contract development.In general PostgreSQL expects you to treat the logs as sensitive.
There are other areas where logging is a serious security concern. For example some of the
pgcrypto functions take crypto keys as parameters.Code Snippets
BEGIN;
SET LOCAL log_statement = 'none';
ALTER USER ... SET PASSWORD ...;
COMMIT;Context
StackExchange Database Administrators Q#94625, answer score: 13
Revisions (0)
No revisions yet.