diff options
| author | Bruce Momjian <bruce@momjian.us> | 2022-08-12 12:02:20 -0400 |
|---|---|---|
| committer | Bruce Momjian <bruce@momjian.us> | 2022-08-12 12:02:20 -0400 |
| commit | c0252d795edfd95acd3ea2e51096a52a03325065 (patch) | |
| tree | c671ebd81eb950a3def8e74ff4f981e4219de50f | |
| parent | 72d76a4724e99169a5df111c32a3d74fd8dd3a84 (diff) | |
| download | postgresql-c0252d795edfd95acd3ea2e51096a52a03325065.tar.gz postgresql-c0252d795edfd95acd3ea2e51096a52a03325065.zip | |
doc: warn about security issues around log files
Reported-by: Simon Riggs
Discussion: https://postgr.es/m/CANP8+jJESuuXYq9Djvf-+tx2vY2OFLmfEuu+UvwHNJ1RT7iJCQ@mail.gmail.com
Author: Simon Riggs
Backpatch-through: 10
| -rw-r--r-- | doc/src/sgml/config.sgml | 11 | ||||
| -rw-r--r-- | doc/src/sgml/maintenance.sgml | 20 |
2 files changed, 30 insertions, 1 deletions
diff --git a/doc/src/sgml/config.sgml b/doc/src/sgml/config.sgml index eaad9dc193b..9e307948073 100644 --- a/doc/src/sgml/config.sgml +++ b/doc/src/sgml/config.sgml @@ -6242,6 +6242,13 @@ local0.* /var/log/postgresql <sect2 id="runtime-config-logging-what"> <title>What to Log</title> + <note> + <para> + What you choose to log can have security implications; see + <xref linkend="logfile-maintenance"/>. + </para> + </note> + <variablelist> <varlistentry id="guc-application-name" xreflabel="application_name"> @@ -6684,6 +6691,10 @@ log_line_prefix = '%m [%p] %q%u@%d/%a ' planning). Set <varname>log_min_error_statement</varname> to <literal>ERROR</literal> (or lower) to log such statements. </para> + <para> + Logged statements might reveal sensitive data and even contain + plaintext passwords. + </para> </note> </listitem> </varlistentry> diff --git a/doc/src/sgml/maintenance.sgml b/doc/src/sgml/maintenance.sgml index 1a4585ef90a..7428a827da2 100644 --- a/doc/src/sgml/maintenance.sgml +++ b/doc/src/sgml/maintenance.sgml @@ -939,7 +939,25 @@ analyze threshold = analyze base threshold + analyze scale factor * number of tu It is a good idea to save the database server's log output somewhere, rather than just discarding it via <filename>/dev/null</filename>. The log output is invaluable when diagnosing - problems. However, the log output tends to be voluminous + problems. + </para> + + <note> + <para> + The server log can contain sensitive information and needs to be protected, + no matter how or where it is stored, or the destination to which it is routed. + For example, some DDL statements might contain plaintext passwords or other + authentication details. Logged statements at the <literal>ERROR</literal> + level might show the SQL source code for applications + and might also contain some parts of data rows. Recording data, events and + related information is the intended function of this facility, so this is + not a leakage or a bug. Please ensure the server logs are visible only to + appropriately authorized people. + </para> + </note> + + <para> + Log output tends to be voluminous (especially at higher debug levels) so you won't want to save it indefinitely. You need to <emphasis>rotate</emphasis> the log files so that new log files are started and old ones removed after a reasonable |