rlm_sql_postgresql: db password appears in plaintext in logs

Coy Hile coy.hile at coyhile.com
Tue Jan 7 17:10:04 CET 2020


On 2020-01-07 10:31, L. Rose wrote:
> Hello everyone,
> 
> I'm not sure if this is a bug or a misconfiguration on our site. When
> running freeradius -X, the database password of our postgresql
> database appears in plaintext on the console:
> 
> rlm_sql_postgresql: Connecting using parameters: dbname='radiusdb'
> host='127.0.0.1' port=1337 user='radiususer' password='example'
> 
> Of course, the values for dbname, host, port, user and password are
> not the real values, but the real values appear in the debug output. I
> thought that freeradius -X should not print any confidential
> information? Or is this a feature?
> 

As a user, I'd argue that's a feature, as the first thing one would 
debug is that the SQL connection is, in fact, connecting to the expected 
database, using the expected credentials.

-- 
Coy Hile
coy.hile at coyhile.com


More information about the Freeradius-Users mailing list