mirrors/postgres
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

doc: warn about security issues around log files

Browse Source 
Reported-by: Simon Riggs

Discussion: https://postgr.es/m/CANP8+jJESuuXYq9Djvf-+tx2vY2OFLmfEuu+UvwHNJ1RT7iJCQ@mail.gmail.com

Author: Simon Riggs

Backpatch-through: 10
This commit is contained in:
Bruce Momjian 2022-08-12 12:02:20 -04:00
parent d1303bc977
commit a4a24feff4
2 changed files with 30 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
doc/src/sgml/config.sgml
View File

@ -6501,6 +6501,13 @@ local0.* /var/log/postgresql
<sect2 id="runtime-config-logging-what"> <sect2 id="runtime-config-logging-what">
<title>What to Log</title> <title>What to Log</title>
<note>
<para>
What you choose to log can have security implications; see
<xref linkend="logfile-maintenance"/>.
</para>
</note>
<variablelist> <variablelist>
<varlistentry id="guc-application-name" xreflabel="application_name"> <varlistentry id="guc-application-name" xreflabel="application_name">
@ -7017,6 +7024,10 @@ log_line_prefix = '%m [%p] %q%u@%d/%a '
planning). Set <varname>log_min_error_statement</varname> to planning). Set <varname>log_min_error_statement</varname> to
<literal>ERROR</literal> (or lower) to log such statements. <literal>ERROR</literal> (or lower) to log such statements.
</para> </para>
<para>
Logged statements might reveal sensitive data and even contain
plaintext passwords.
</para>
</note> </note>
</listitem> </listitem>
</varlistentry> </varlistentry>

20
doc/src/sgml/maintenance.sgml
View File

@ -958,7 +958,25 @@ analyze threshold = analyze base threshold + analyze scale factor * number of tu
It is a good idea to save the database server's log output It is a good idea to save the database server's log output
somewhere, rather than just discarding it via <filename>/dev/null</filename>. somewhere, rather than just discarding it via <filename>/dev/null</filename>.
The log output is invaluable when diagnosing The log output is invaluable when diagnosing
problems. However, the log output tends to be voluminous problems.
</para>
<note>
<para>
The server log can contain sensitive information and needs to be protected,
no matter how or where it is stored, or the destination to which it is routed.
For example, some DDL statements might contain plaintext passwords or other
authentication details. Logged statements at the <literal>ERROR</literal>
level might show the SQL source code for applications
and might also contain some parts of data rows. Recording data, events and
related information is the intended function of this facility, so this is
not a leakage or a bug. Please ensure the server logs are visible only to
appropriately authorized people.
</para>
</note>
<para>
Log output tends to be voluminous
(especially at higher debug levels) so you won't want to save it (especially at higher debug levels) so you won't want to save it
indefinitely. You need to <emphasis>rotate</emphasis> the log files so that indefinitely. You need to <emphasis>rotate</emphasis> the log files so that
new log files are started and old ones removed after a reasonable new log files are started and old ones removed after a reasonable