Re: Insecurity of ODBC debug logging files
This is a discussion on Re: Insecurity of ODBC debug logging files within the pgsql Interfaces odbc forums, part of the PostgreSQL category; --> > -----Original Message----- > From: pgsql-odbc-owner@postgresql.org > [mailto gsql-odbc-owner@postgresql.org] On Behalf Of Tom Lane > Sent: 05 October 2005 ...
| |||||||
| Register | FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
04-16-2008, 01:28 AM
| ||||
| ||||
 Re: Insecurity of ODBC debug logging files > -----Original Message----- > From: pgsql-odbc-owner@postgresql.org > [mailto  gsql-odbc-owner@postgresql.org] On Behalf Of Tom Lane> Sent: 05 October 2005 18:50 > To: pgsql-odbc@postgresql.org > Subject: [ODBC] Insecurity of ODBC debug logging files > > I have a gripe here: > https://bugzilla.redhat.com/bugzilla....cgi?id=154126 > about the fact that ODBC is willing to store passwords into debug log > files that aren't secure. Anyone want to do something about it? > > Offhand it seems like simply omitting the password from the > log wouldn't > be a bad idea. That was fixed almost 2.5 years ago by Hiroshi. I just check my own logs and it does mask the passwords appropriately. > But even then, a log file will frequently contain > sensitive data (eg, credit card numbers appearing in INSERT > statements). > Seems to me that there should also be some care taken to make the log > file not world-readable. I'll have a look at writing them with mode 600 on *nix. On Win9x and NT based systems with FAT partitions there's nothing we can do of course. I'd rather not make the filenames unpredicatable though as that'll make it difficult for us to tell users how to track down the right debug log. Regards, Dave. ---------------------------(end of broadcast)--------------------------- TIP 1: if posting/reading through Usenet, please send an appropriate subscribe-nomail command to majordomo@postgresql.org so that your message can get through to the mailing list cleanly      |
|
04-16-2008, 01:28 AM
| ||||
| ||||
| Re: Insecurity of ODBC debug logging files Am 05.10.2005 um 21:08 schrieb Dave Page: >> But even then, a log file will frequently contain >> sensitive data (eg, credit card numbers appearing in INSERT >> statements). >> Seems to me that there should also be some care taken to make the log >> file not world-readable. > > I'll have a look at writing them with mode 600 on *nix. On Win9x and NT > based systems with FAT partitions there's nothing we can do of course. > I'd rather not make the filenames unpredicatable though as that'll make > it difficult for us to tell users how to track down the right debug > log. > Hi, what about a special database type like sensitive or an encrypted column type ? If the ODBC driver comes across of such a column, it could be masked out as well. Regards, Lothar > Regards, Dave. > > ---------------------------(end of > broadcast)--------------------------- > TIP 1: if posting/reading through Usenet, please send an appropriate > subscribe-nomail command to majordomo@postgresql.org so that > your > message can get through to the mailing list cleanly > > -- Lothar Behrens | Rapid Prototyping ... Rosmarinstr 3 | 40235 Düsseldorf | www.lollisoft.de ---------------------------(end of broadcast)--------------------------- TIP 9: In versions below 8.0, the planner will ignore your desire to choose an index scan if your joining column's datatypes do not match |
Linear Mode
