Magnus Hagander <mag...@hagander.net> writes: > On Wed, Oct 14, 2009 at 18:25, Tom Lane <t...@sss.pgh.pa.us> wrote: >> Let's see you do that (hint: "CREATD USER ... PASSWORD" is going to >> throw a syntax error before you realize there's anything there that >> might need to be protected).
> I'm unsure if it's our responsibility to think about that. We can leak > a *lot* of sensitive information to the logs through syntax errors, > this is just one of them. We *do* need to worry about the statements > when they are sent properly, of course. Even if they're "sent properly", this entire discussion misses the point. The reason to not want cleartext passwords in the logs is that the user doesn't trust the DBA. Why would a user who doesn't trust the DBA want to trust him to not be running a modified copy of the database with all this nice logic disabled? The real point of crypted passwords is to not let uncrypted passwords go anywhere outside the *user's* control. If the DBA wants to enforce a policy that is incompatible with that, it should be extremely obvious to all concerned that that's what he's doing. In particular it should be in the user's face that he's about to send an uncrypted password, so that he can think twice about the particular password he's choosing (and hopefully not use one that's also good for another service). For relatively smart clients like pgAdmin, there might also be an option to refuse to send such a command across an insecure connection, or at least nag the user about it. regards, tom lane -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers