rlm_sql_postgresql: db password appears in plaintext in logs

Alan DeKok aland at deployingradius.com
Tue Jan 7 17:33:57 CET 2020


On Jan 7, 2020, at 10:31 AM, L. Rose <lists at lrose.de> wrote:
> I'm not sure if this is a bug or a misconfiguration on our site. When running freeradius -X, the database password of our postgresql database appears in plaintext on the console:
> 
> rlm_sql_postgresql: Connecting using parameters: dbname='radiusdb' host='127.0.0.1' port=1337 user='radiususer' password='example'
> 
> Of course, the values for dbname, host, port, user and password are not the real values, but the real values appear in the debug output. I thought that freeradius -X should not print any confidential information?

  The debug output skips *some* confidential information as of 3.0.2.  i.e. Shared secrets for clients, etc.

  But individual modules can still print debugging messages which include confidential information.  i.e. users passwords, connection info, etc.

> Or is this a feature?

  The purpose of debugging is to debug the server.  The more information that's hidden in debug mode, the harder it is to debug the server.

  To be honest, any administrator who can run the server in debug mode has access to the config files, and can read all of the secrets.  So hiding confidential information is largely security theatre.

  Alan DeKok.




More information about the Freeradius-Users mailing list