diff options
| author | Bruce Momjian <bruce@momjian.us> | 2022-08-12 12:02:21 -0400 |
|---|---|---|
| committer | Bruce Momjian <bruce@momjian.us> | 2022-08-12 12:02:21 -0400 |
| commit | 50e088d6f262b602d2d983b41696188815ba1e00 (patch) | |
| tree | fa45113b0d5ad2d631e44c14bc376f3dc1ddb593 /doc/src | |
| parent | 1886060b985135af5088bbd9368c54e39f1327cc (diff) | |
| download | postgresql-50e088d6f262b602d2d983b41696188815ba1e00.tar.gz postgresql-50e088d6f262b602d2d983b41696188815ba1e00.zip | |
doc: warn about security issues around log files
Reported-by: Simon Riggs
Discussion: https://postgr.es/m/CANP8+jJESuuXYq9Djvf-+tx2vY2OFLmfEuu+UvwHNJ1RT7iJCQ@mail.gmail.com
Author: Simon Riggs
Backpatch-through: 10
Diffstat (limited to 'doc/src')
| -rw-r--r-- | doc/src/sgml/config.sgml | 11 | ||||
| -rw-r--r-- | doc/src/sgml/maintenance.sgml | 20 |
2 files changed, 30 insertions, 1 deletions
diff --git a/doc/src/sgml/config.sgml b/doc/src/sgml/config.sgml index 353d4e808af..6150e57d713 100644 --- a/doc/src/sgml/config.sgml +++ b/doc/src/sgml/config.sgml @@ -6860,6 +6860,13 @@ local0.* /var/log/postgresql <sect2 id="runtime-config-logging-what"> <title>What to Log</title> + <note> + <para> + What you choose to log can have security implications; see + <xref linkend="logfile-maintenance"/>. + </para> + </note> + <variablelist> <varlistentry id="guc-application-name" xreflabel="application_name"> @@ -7458,6 +7465,10 @@ log_line_prefix = '%m [%p] %q%u@%d/%a ' planning). Set <varname>log_min_error_statement</varname> to <literal>ERROR</literal> (or lower) to log such statements. </para> + <para> + Logged statements might reveal sensitive data and even contain + plaintext passwords. + </para> </note> </listitem> </varlistentry> diff --git a/doc/src/sgml/maintenance.sgml b/doc/src/sgml/maintenance.sgml index a209a633043..759ea5ac9c4 100644 --- a/doc/src/sgml/maintenance.sgml +++ b/doc/src/sgml/maintenance.sgml @@ -977,7 +977,25 @@ analyze threshold = analyze base threshold + analyze scale factor * number of tu It is a good idea to save the database server's log output somewhere, rather than just discarding it via <filename>/dev/null</filename>. The log output is invaluable when diagnosing - problems. However, the log output tends to be voluminous + problems. + </para> + + <note> + <para> + The server log can contain sensitive information and needs to be protected, + no matter how or where it is stored, or the destination to which it is routed. + For example, some DDL statements might contain plaintext passwords or other + authentication details. Logged statements at the <literal>ERROR</literal> + level might show the SQL source code for applications + and might also contain some parts of data rows. Recording data, events and + related information is the intended function of this facility, so this is + not a leakage or a bug. Please ensure the server logs are visible only to + appropriately authorized people. + </para> + </note> + + <para> + Log output tends to be voluminous (especially at higher debug levels) so you won't want to save it indefinitely. You need to <emphasis>rotate</emphasis> the log files so that new log files are started and old ones removed after a reasonable |