Commit 9039e34e authored by Bruce Momjian's avatar Bruce Momjian

doc: warn about security issues around log files

Reported-by: Simon Riggs

Discussion: https://postgr.es/m/CANP8+jJESuuXYq9Djvf-+tx2vY2OFLmfEuu+UvwHNJ1RT7iJCQ@mail.gmail.com

Author: Simon Riggs

Backpatch-through: 10
parent ec98eac9
...@@ -6649,6 +6649,13 @@ local0.* /var/log/postgresql ...@@ -6649,6 +6649,13 @@ local0.* /var/log/postgresql
<sect2 id="runtime-config-logging-what"> <sect2 id="runtime-config-logging-what">
<title>What to Log</title> <title>What to Log</title>
<note>
<para>
What you choose to log can have security implications; see
<xref linkend="logfile-maintenance"/>.
</para>
</note>
<variablelist> <variablelist>
<varlistentry id="guc-application-name" xreflabel="application_name"> <varlistentry id="guc-application-name" xreflabel="application_name">
...@@ -7241,6 +7248,10 @@ log_line_prefix = '%m [%p] %q%u@%d/%a ' ...@@ -7241,6 +7248,10 @@ log_line_prefix = '%m [%p] %q%u@%d/%a '
planning). Set <varname>log_min_error_statement</varname> to planning). Set <varname>log_min_error_statement</varname> to
<literal>ERROR</literal> (or lower) to log such statements. <literal>ERROR</literal> (or lower) to log such statements.
</para> </para>
<para>
Logged statements might reveal sensitive data and even contain
plaintext passwords.
</para>
</note> </note>
</listitem> </listitem>
</varlistentry> </varlistentry>
......
...@@ -958,7 +958,25 @@ analyze threshold = analyze base threshold + analyze scale factor * number of tu ...@@ -958,7 +958,25 @@ analyze threshold = analyze base threshold + analyze scale factor * number of tu
It is a good idea to save the database server's log output It is a good idea to save the database server's log output
somewhere, rather than just discarding it via <filename>/dev/null</filename>. somewhere, rather than just discarding it via <filename>/dev/null</filename>.
The log output is invaluable when diagnosing The log output is invaluable when diagnosing
problems. However, the log output tends to be voluminous problems.
</para>
<note>
<para>
The server log can contain sensitive information and needs to be protected,
no matter how or where it is stored, or the destination to which it is routed.
For example, some DDL statements might contain plaintext passwords or other
authentication details. Logged statements at the <literal>ERROR</literal>
level might show the SQL source code for applications
and might also contain some parts of data rows. Recording data, events and
related information is the intended function of this facility, so this is
not a leakage or a bug. Please ensure the server logs are visible only to
appropriately authorized people.
</para>
</note>
<para>
Log output tends to be voluminous
(especially at higher debug levels) so you won't want to save it (especially at higher debug levels) so you won't want to save it
indefinitely. You need to <emphasis>rotate</emphasis> the log files so that indefinitely. You need to <emphasis>rotate</emphasis> the log files so that
new log files are started and old ones removed after a reasonable new log files are started and old ones removed after a reasonable
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment