Re: Security of ODBC debug log file leaves something to be desired

Поиск
Список
Период
Сортировка
От Mischa Sandberg
Тема Re: Security of ODBC debug log file leaves something to be desired
Дата
Msg-id 1112937885.4256159d1fb18@webmail.telus.net
обсуждение исходный текст
Ответ на Security of ODBC debug log file leaves something to be desired  (Tom Lane <tgl@sss.pgh.pa.us>)
Ответы Re: Security of ODBC debug log file leaves something to be  (Marko Ristola <marko.ristola@kolumbus.fi>)
Список pgsql-odbc
Quoting Tom Lane <tgl@sss.pgh.pa.us>:

> I got a complaint here
> https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=154126
> pointing out that when you set debug=1, the generated log file
> is world-readable by default, which doesn't seem like a good
> idea when it may contain your password.
> Any thoughts about fixing this?  It's hard to believe no one
> has pointed it out before, so I was wondering if there was some
> good reason for doing it like this.

Read your comments in the bug report. No, it is not intentional.
It is just YA case of ODBC paying only lip service to security.
There are still many commercial drivers that send the password over TCP,
in the clear. Gah.

Both the driver manager and the driver write to the debug log.
Each of them is responsible for not doing things like that!
File permissions on the log itself are rather weak protection.

When I worked for Simba (ODBC kit/SQL engine company, now owned by orbital.com)
we patch iODBC so that the password string was overwritten with "*"s
before it was logged; and our driver kit did the same.
It is simple to fix. Can't guarantee I can make the time right now;
having too much antifun with Postgres performance on Solaris.

--
"Dreams come true, not free." -- S.Sondheim, ITW


В списке pgsql-odbc по дате отправления:

Предыдущее
От: Tom Lane
Дата:
Сообщение: Security of ODBC debug log file leaves something to be desired
Следующее
От: Marko Ristola
Дата:
Сообщение: Security of ODBC debug log file leaves something to be desired