rlm_sql_postgresql: db password appears in plaintext in logs
Hello everyone, I'm not sure if this is a bug or a misconfiguration on our site. When running freeradius -X, the database password of our postgresql database appears in plaintext on the console: rlm_sql_postgresql: Connecting using parameters: dbname='radiusdb' host='127.0.0.1' port=1337 user='radiususer' password='example' Of course, the values for dbname, host, port, user and password are not the real values, but the real values appear in the debug output. I thought that freeradius -X should not print any confidential information? Or is this a feature? Thanks in advance, L. Rose
On 2020-01-07 10:31, L. Rose wrote:
Hello everyone,
I'm not sure if this is a bug or a misconfiguration on our site. When running freeradius -X, the database password of our postgresql database appears in plaintext on the console:
rlm_sql_postgresql: Connecting using parameters: dbname='radiusdb' host='127.0.0.1' port=1337 user='radiususer' password='example'
Of course, the values for dbname, host, port, user and password are not the real values, but the real values appear in the debug output. I thought that freeradius -X should not print any confidential information? Or is this a feature?
As a user, I'd argue that's a feature, as the first thing one would debug is that the SQL connection is, in fact, connecting to the expected database, using the expected credentials. -- Coy Hile coy.hile@coyhile.com
hi, in full debug mode, everything gets printed - to ensure that reality and configuration match - ie if the DB doesnt connect then maybe some of the connection parameters are wrong. in later versions theres a 'minor debug' mode where some passwords are obfuscated. use that locally if you need to (surely whoever is running the server in debug can read the config files anyway?) but use the proper -X when sending debug stuff to the mailing list alan On Tue, 7 Jan 2020 at 15:34, L. Rose <lists@lrose.de> wrote:
Hello everyone,
I'm not sure if this is a bug or a misconfiguration on our site. When running freeradius -X, the database password of our postgresql database appears in plaintext on the console:
rlm_sql_postgresql: Connecting using parameters: dbname='radiusdb' host='127.0.0.1' port=1337 user='radiususer' password='example'
Of course, the values for dbname, host, port, user and password are not the real values, but the real values appear in the debug output. I thought that freeradius -X should not print any confidential information? Or is this a feature?
Thanks in advance, L. Rose
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Jan 7, 2020, at 10:31 AM, L. Rose <lists@lrose.de> wrote:
I'm not sure if this is a bug or a misconfiguration on our site. When running freeradius -X, the database password of our postgresql database appears in plaintext on the console:
rlm_sql_postgresql: Connecting using parameters: dbname='radiusdb' host='127.0.0.1' port=1337 user='radiususer' password='example'
Of course, the values for dbname, host, port, user and password are not the real values, but the real values appear in the debug output. I thought that freeradius -X should not print any confidential information?
The debug output skips *some* confidential information as of 3.0.2. i.e. Shared secrets for clients, etc. But individual modules can still print debugging messages which include confidential information. i.e. users passwords, connection info, etc.
Or is this a feature?
The purpose of debugging is to debug the server. The more information that's hidden in debug mode, the harder it is to debug the server. To be honest, any administrator who can run the server in debug mode has access to the config files, and can read all of the secrets. So hiding confidential information is largely security theatre. Alan DeKok.
participants (4)
-
Alan Buxey -
Alan DeKok -
Coy Hile -
L. Rose