diff options
| author | Bruce Momjian <bruce@momjian.us> | 2022-08-12 12:02:20 -0400 |
|---|---|---|
| committer | Bruce Momjian <bruce@momjian.us> | 2022-08-12 12:02:20 -0400 |
| commit | 9039e34e7ed26710e49b4c43d8859387cf4f4faf (patch) | |
| tree | 0b447ae1840ac8609be148105e7ad5d06316391f | |
| parent | ec98eac9873bd50d75fc51a440848d07ba158d8f (diff) | |
| download | postgresql-9039e34e7ed26710e49b4c43d8859387cf4f4faf.tar.gz postgresql-9039e34e7ed26710e49b4c43d8859387cf4f4faf.zip | |
doc: warn about security issues around log files
Reported-by: Simon Riggs
Discussion: https://postgr.es/m/CANP8+jJESuuXYq9Djvf-+tx2vY2OFLmfEuu+UvwHNJ1RT7iJCQ@mail.gmail.com
Author: Simon Riggs
Backpatch-through: 10
| -rw-r--r-- | doc/src/sgml/config.sgml | 11 | ||||
| -rw-r--r-- | doc/src/sgml/maintenance.sgml | 20 |
2 files changed, 30 insertions, 1 deletions
diff --git a/doc/src/sgml/config.sgml b/doc/src/sgml/config.sgml index afe01fa4929..b4336c52668 100644 --- a/doc/src/sgml/config.sgml +++ b/doc/src/sgml/config.sgml @@ -6649,6 +6649,13 @@ local0.* /var/log/postgresql <sect2 id="runtime-config-logging-what"> <title>What to Log</title> + <note> + <para> + What you choose to log can have security implications; see + <xref linkend="logfile-maintenance"/>. + </para> + </note> + <variablelist> <varlistentry id="guc-application-name" xreflabel="application_name"> @@ -7241,6 +7248,10 @@ log_line_prefix = '%m [%p] %q%u@%d/%a ' planning). Set <varname>log_min_error_statement</varname> to <literal>ERROR</literal> (or lower) to log such statements. </para> + <para> + Logged statements might reveal sensitive data and even contain + plaintext passwords. + </para> </note> </listitem> </varlistentry> diff --git a/doc/src/sgml/maintenance.sgml b/doc/src/sgml/maintenance.sgml index 693c92d9cba..eaffb5a6592 100644 --- a/doc/src/sgml/maintenance.sgml +++ b/doc/src/sgml/maintenance.sgml @@ -958,7 +958,25 @@ analyze threshold = analyze base threshold + analyze scale factor * number of tu It is a good idea to save the database server's log output somewhere, rather than just discarding it via <filename>/dev/null</filename>. The log output is invaluable when diagnosing - problems. However, the log output tends to be voluminous + problems. + </para> + + <note> + <para> + The server log can contain sensitive information and needs to be protected, + no matter how or where it is stored, or the destination to which it is routed. + For example, some DDL statements might contain plaintext passwords or other + authentication details. Logged statements at the <literal>ERROR</literal> + level might show the SQL source code for applications + and might also contain some parts of data rows. Recording data, events and + related information is the intended function of this facility, so this is + not a leakage or a bug. Please ensure the server logs are visible only to + appropriately authorized people. + </para> + </note> + + <para> + Log output tends to be voluminous (especially at higher debug levels) so you won't want to save it indefinitely. You need to <emphasis>rotate</emphasis> the log files so that new log files are started and old ones removed after a reasonable |