diff options
| author | Bruce Momjian <bruce@momjian.us> | 2022-08-12 12:02:21 -0400 |
|---|---|---|
| committer | Bruce Momjian <bruce@momjian.us> | 2022-08-12 12:02:21 -0400 |
| commit | 5eb38dc1efc6a83043eabbd4d26271ff232389ca (patch) | |
| tree | f29e9557ee5cc0f0c934c89742f3ef595765ebe8 | |
| parent | c90dfb62b8bce062c81581bb379c9fdaac54e082 (diff) | |
| download | postgresql-5eb38dc1efc6a83043eabbd4d26271ff232389ca.tar.gz postgresql-5eb38dc1efc6a83043eabbd4d26271ff232389ca.zip | |
doc: warn about security issues around log files
Reported-by: Simon Riggs
Discussion: https://postgr.es/m/CANP8+jJESuuXYq9Djvf-+tx2vY2OFLmfEuu+UvwHNJ1RT7iJCQ@mail.gmail.com
Author: Simon Riggs
Backpatch-through: 10
| -rw-r--r-- | doc/src/sgml/config.sgml | 11 | ||||
| -rw-r--r-- | doc/src/sgml/maintenance.sgml | 20 |
2 files changed, 30 insertions, 1 deletions
diff --git a/doc/src/sgml/config.sgml b/doc/src/sgml/config.sgml index c2bdacb6a78..d26021068e8 100644 --- a/doc/src/sgml/config.sgml +++ b/doc/src/sgml/config.sgml @@ -6853,6 +6853,13 @@ local0.* /var/log/postgresql <sect2 id="runtime-config-logging-what"> <title>What to Log</title> + <note> + <para> + What you choose to log can have security implications; see + <xref linkend="logfile-maintenance"/>. + </para> + </note> + <variablelist> <varlistentry id="guc-application-name" xreflabel="application_name"> @@ -7451,6 +7458,10 @@ log_line_prefix = '%m [%p] %q%u@%d/%a ' planning). Set <varname>log_min_error_statement</varname> to <literal>ERROR</literal> (or lower) to log such statements. </para> + <para> + Logged statements might reveal sensitive data and even contain + plaintext passwords. + </para> </note> </listitem> </varlistentry> diff --git a/doc/src/sgml/maintenance.sgml b/doc/src/sgml/maintenance.sgml index a209a633043..759ea5ac9c4 100644 --- a/doc/src/sgml/maintenance.sgml +++ b/doc/src/sgml/maintenance.sgml @@ -977,7 +977,25 @@ analyze threshold = analyze base threshold + analyze scale factor * number of tu It is a good idea to save the database server's log output somewhere, rather than just discarding it via <filename>/dev/null</filename>. The log output is invaluable when diagnosing - problems. However, the log output tends to be voluminous + problems. + </para> + + <note> + <para> + The server log can contain sensitive information and needs to be protected, + no matter how or where it is stored, or the destination to which it is routed. + For example, some DDL statements might contain plaintext passwords or other + authentication details. Logged statements at the <literal>ERROR</literal> + level might show the SQL source code for applications + and might also contain some parts of data rows. Recording data, events and + related information is the intended function of this facility, so this is + not a leakage or a bug. Please ensure the server logs are visible only to + appropriately authorized people. + </para> + </note> + + <para> + Log output tends to be voluminous (especially at higher debug levels) so you won't want to save it indefinitely. You need to <emphasis>rotate</emphasis> the log files so that new log files are started and old ones removed after a reasonable |