On Tue, Mar 22, 2011 at 4:09 PM, Dave Page <dp...@pgadmin.org> wrote: > > > On Tue, Mar 22, 2011 at 3:45 PM, Dave Page <dp...@pgadmin.org> wrote: >> >> >> On Tue, Mar 22, 2011 at 5:10 AM, Craig Sacco <craig.sa...@gmail.com> >> wrote: >>> >>> The following bug has been logged online: >>> >>> Bug reference: 5938 >>> Logged by: Craig Sacco >>> Email address: craig.sa...@gmail.com >>> PostgreSQL version: 9.0.3 >>> Operating system: Microsoft Windows (all variants, 32 and 64 bit) >>> Description: PostgreSQL Installer outputs log file with superuser >>> password in clear text >>> Details: >>> >>> The PostgreSQL installer outputs a log file to the temporary directory >>> with >>> the superuser password in clear text. We are deploying PostgreSQL as part >>> of >>> a commercial product and would like to ensure that the password is not >>> available to ordinary users. >>> >> >> This has been fixed for the next releases. > > For the sake of the archives, it should also be noted that the file is in a > secure directory, much as a .pgpass file would be, so this is generally only > an issue for the situation described above, and not when a user installs a > copy himself.
I accept its not a worst-case problem, but we should rate the problem A-D as with other security issues. All cases should get a rating so we know what we're dealing with The problem is that the password is disclosed in a surprising way. .pgpass files are explicitly put there by a user, so they know what they've done. Putting a password in cleartext somewhere is an issue if people don't know about it. -- Simon Riggs http://www.2ndQuadrant.com/ PostgreSQL Development, 24x7 Support, Training & Services -- Sent via pgsql-bugs mailing list (pgsql-bugs@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-bugs
