HiveBrain v1.2.0
Get Started
← Back to all entries
snippetsqlModerate

How do I hide sensitive information like plaintext passwords from the logs?

Submitted by: @import:stackexchange-dba··
0
Viewed 0 times
fromthelogspasswordslikehowsensitivehideplaintextinformation

Problem

I do not have access to a Postgres installation, so I cannot check.

I am a security guy, and I'm seeing plaintext passwords in the logs:

create user user1 with password 'PLAINTEXT PASSWORD'


How can the DBAs change or create their passwords without the password in the clear in the logs?

I've seen this, which states you can use an md5 hash of the password, but then the hash is also in the clear. Is there a better way?

Solution

Always prepare password digests client-side

If practical in your environment, use psql's \password command, or the underlying libpq function PQencryptPasswordConn(...) (src).

This pre-hashes the password client-side with scram-sha-256 (assuming a modern postgres) then sends it with ALTER USER ... PASSWORD ....

Other client drivers may have their own implementations, and if not, it's pretty simple to implement based using the client crypto libraries of your choice.
Hiding passwords (or digests) from logs

It sounds like log_statement is set to all.

Unfortunately (AFAIK) postgres doesn't special case ALTER USER ... PASSWORD so there's no strong guarantee made that the hashed password won't get logged.

Ideally the libpq protocol would support a "sensitive" flag on bind params, and would support parameter binding for ALTER USER/ALTER ROLE statements. But it doesn't, and the server doesn't proactively mask out the password in the querytext either, so we get to work around it.

If you wish to prevent passwords from appearing in the logs while log_statement is set to a value that captures ALTER USER / ALTER ROLE then you'll want to override that when changing passwords. e.g.

BEGIN;
SET LOCAL log_statement = 'none';
ALTER USER ... SET PASSWORD ...;
COMMIT;


You must be a superuser to do this. Normal users cannot override logging rules.

It would be nice if PostgreSQL supported flagging some parameters to statements (or even functions) as security-sensitive and allowed users to request that they be masked in logs, pg_stat_statements, pg_stat_activity, etc. There is not currently any such feature - but hey, patches are welcome. If you're genuinely interested, post on pgsql-hackers before writing any actual code so you can get advice and comments, though. Alternately, speak to someone who does contract development.

In general PostgreSQL expects you to treat the logs as sensitive.

There are other areas where logging is a serious security concern. For example some of the pgcrypto functions take crypto keys as parameters.

Code Snippets

BEGIN;
SET LOCAL log_statement = 'none';
ALTER USER ... SET PASSWORD ...;
COMMIT;

Context

StackExchange Database Administrators Q#94625, answer score: 13

Revisions (0)

No revisions yet.