doc: warn about security issues around log files

Reported-by: Simon Riggs Discussion: https://postgr.es/m/CANP8+jJESuuXYq9Djvf-+tx2vY2OFLmfEuu+UvwHNJ1RT7iJCQ@mail.gmail.com Author: Simon Riggs Backpatch-through: 10
2022-08-12 12:02:21 -04:00 · 2022-08-12 12:02:21 -04:00 · 50e088d6f2
parent 1886060b98
commit 50e088d6f2
2 changed files with 30 additions and 1 deletions
--- a/doc/src/sgml/config.sgml
+++ b/doc/src/sgml/config.sgml
@ -6860,6 +6860,13 @@ local0.*    /var/log/postgresql
     <sect2 id="runtime-config-logging-what">
     <title>What to Log</title>

+     <note>
+      <para>
+       What you choose to log can have security implications;  see
+       <xref linkend="logfile-maintenance"/>.
+      </para>
+     </note>
+
     <variablelist>

     <varlistentry id="guc-application-name" xreflabel="application_name">
@ -7458,6 +7465,10 @@ log_line_prefix = '%m [%p] %q%u@%d/%a '
         planning).  Set <varname>log_min_error_statement</varname> to
         <literal>ERROR</literal> (or lower) to log such statements.
        </para>
+        <para>
+         Logged statements might reveal sensitive data and even contain
+         plaintext passwords.
+        </para>
       </note>
      </listitem>
     </varlistentry>
--- a/doc/src/sgml/maintenance.sgml
+++ b/doc/src/sgml/maintenance.sgml
@ -977,7 +977,25 @@ analyze threshold = analyze base threshold + analyze scale factor * number of tu
   It is a good idea to save the database server's log output
   somewhere, rather than just discarding it via <filename>/dev/null</filename>.
   The log output is invaluable when diagnosing
-   problems.  However, the log output tends to be voluminous
+   problems.
+  </para>
+
+  <note>
+   <para>
+    The server log can contain sensitive information and needs to be protected,
+    no matter how or where it is stored, or the destination to which it is routed.
+    For example, some DDL statements might contain plaintext passwords or other
+    authentication details. Logged statements at the <literal>ERROR</literal>
+    level might show the SQL source code for applications
+    and might also contain some parts of data rows. Recording data, events and
+    related information is the intended function of this facility, so this is
+    not a leakage or a bug. Please ensure the server logs are visible only to
+    appropriately authorized people.
+   </para>
+  </note>
+
+  <para>
+   Log output tends to be voluminous
   (especially at higher debug levels) so you won't want to save it
   indefinitely.  You need to <emphasis>rotate</emphasis> the log files so that
   new log files are started and old ones removed after a reasonable