On Wed, Oct 14, 2009 at 6:08 PM, Tom Lane <t...@sss.pgh.pa.us> wrote: > Magnus Hagander <mag...@hagander.net> writes: >> On Wed, Oct 14, 2009 at 18:25, Tom Lane <t...@sss.pgh.pa.us> wrote: >>> Let's see you do that (hint: "CREATD USER ... PASSWORD" is going to >>> throw a syntax error before you realize there's anything there that >>> might need to be protected). > >> I'm unsure if it's our responsibility to think about that. We can leak >> a *lot* of sensitive information to the logs through syntax errors, >> this is just one of them. We *do* need to worry about the statements >> when they are sent properly, of course. > > Even if they're "sent properly", this entire discussion misses the point. > The reason to not want cleartext passwords in the logs is that the user > doesn't trust the DBA. Why would a user who doesn't trust the DBA > want to trust him to not be running a modified copy of the database with > all this nice logic disabled?
If you trust him that little, why would you use a password that you also use elsewhere? Besides, if he can run a modified version of the database, its game over anyway. Just set pg_hba.conf's auth method to password, and you don't even have to wait for the user to change their password - you can grab it the next time he logs in. -- Dave Page EnterpriseDB UK: http://www.enterprisedb.com -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
