With the database plugins, the database config line is printed to syslog if syslog is enabled #213
Description
With the config (this is under NixOS, I'm packaging and making a module for GLAuth over time):
syslog = true
[backend]
baseDN = "<censored>"
database = "host=localhost port=5432 dbname=glauth user=glauth password=<censored> sslmode=disable "
datastore = "plugin"
plugin = "/nix/store/p3iq8h2i77gh4zhmppdj1lrcxy2afxgk-glauth-2.0.0/bin/postgres.so"
pluginhandler = "NewPostgresHandler"
[ldap]
enabled = false
listen = "0.0.0.0:3893"
[ldaps]
cert = "/var/lib/acme/domain-auth/fullchain.pem"
enabled = true
key = "/var/lib/acme/domain-auth/key.pem"
listen = "0.0.0.0:3894"
[[groups]]
gidnumber = 1500
name = "admins"
[[users]]
name = "kat"
passsha256 = "<censored>"
primarygroup = 1500
uidnumber = 1000
[[users]]
name = "kc"
passsha256 = "<censored>"
primarygroup = 1500
uidnumber = 1001Upon startup you get the log output:
Sep 05 16:32:40 daiyousei glauth[67744]: ([]config.Backend) (len=1 cap=1) {
Sep 05 16:32:40 daiyousei glauth[67744]: (config.Backend) {
Sep 05 16:32:40 daiyousei glauth[67744]: BaseDN: (string) (len=18) "<censored>",
Sep 05 16:32:40 daiyousei glauth[67744]: Datastore: (string) (len=6) "plugin",
Sep 05 16:32:40 daiyousei glauth[67744]: Insecure: (bool) false,
Sep 05 16:32:40 daiyousei glauth[67744]: Servers: ([]string) <nil>,
Sep 05 16:32:40 daiyousei glauth[67744]: NameFormat: (string) "",
Sep 05 16:32:40 daiyousei glauth[67744]: GroupFormat: (string) "",
Sep 05 16:32:40 daiyousei glauth[67744]: SSHKeyAttr: (string) "",
Sep 05 16:32:40 daiyousei glauth[67744]: UseGraphAPI: (bool) false,
Sep 05 16:32:40 daiyousei glauth[67744]: Plugin: (string) (len=72) "/nix/store/p3iq8h2i77gh4zhmppdj1lrcxy2afxgk-glauth-2.0.0/bin/postgres.so",
Sep 05 16:32:40 daiyousei glauth[67744]: PluginHandler: (string) (len=18) "NewPostgresHandler",
Sep 05 16:32:40 daiyousei glauth[67744]: Database: (string) (len=91) "host=localhost port=5432 dbname=glauth user=glauth password=<censored> sslmode=disable ",
Sep 05 16:32:40 daiyousei glauth[67744]: AnonymousDSE: (bool) false
Sep 05 16:32:40 daiyousei glauth[67744]: }
Sep 05 16:32:40 daiyousei glauth[67744]: }
Sep 05 16:32:40 daiyousei glauth[67744]: 16:32:40.781492 enableSyslog ▶ DEBU 001 "level"=6 "msg"="Syslog enabled"
Sep 05 16:32:40 daiyousei /nix/store/p3iq8h2i77gh4zhmppdj1lrcxy2afxgk-glauth-2.0.0/bin/glauth[67744]: 16:32:40.781492 enableSyslog ▶ DEBU 001 "level"=6 "msg"="Syslog enabled"
Sep 05 16:32:40 daiyousei glauth[67744]: 16:32:40.817641 NewDatabaseHandler ▶ NOTI 002 "level"=3 "msg"="Database (postgres::host=localhost port=5432 dbname=glauth user=glauth password=<database> sslmode=disable ) Plugin: Ready"
Sep 05 16:32:40 daiyousei /nix/store/p3iq8h2i77gh4zhmppdj1lrcxy2afxgk-glauth-2.0.0/bin/glauth[67744]: 16:32:40.817641 NewDatabaseHandler ▶ NOTI 002 "level"=3 "msg"="Database (postgres::host=localhost port=5432 dbname=glauth user=glauth password=<censored> sslmode=disable ) Plugin: Ready"
Sep 05 16:32:40 daiyousei glauth[67744]: 16:32:40.817761 NewServer ▶ NOTI 003 "level"=3 "msg"="Loading backend" "datastore"="plugin" "position"=0
Sep 05 16:32:40 daiyousei glauth[67744]: 16:32:40.817800 ListenAndServeTLS ▶ NOTI 004 "level"=3 "msg"="LDAPS server listening" "address"="0.0.0.0:3894"
Sep 05 16:32:40 daiyousei /nix/store/p3iq8h2i77gh4zhmppdj1lrcxy2afxgk-glauth-2.0.0/bin/glauth[67744]: 16:32:40.817761 NewServer ▶ NOTI 003 "level"=3 "msg"="Loading backend" "datastore"="plugin" "position"=0
Sep 05 16:32:40 daiyousei /nix/store/p3iq8h2i77gh4zhmppdj1lrcxy2afxgk-glauth-2.0.0/bin/glauth[67744]: 16:32:40.817800 ListenAndServeTLS ▶ NOTI 004 "level"=3 "msg"="LDAPS server listening" "address"="0.0.0.0:3894"
Within that log there are multiple examples of the password being printed, for example:
Sep 05 16:32:40 daiyousei /nix/store/p3iq8h2i77gh4zhmppdj1lrcxy2afxgk-glauth-2.0.0/bin/glauth[67744]: 16:32:40.817641 NewDatabaseHandler ▶ NOTI 002 "level"=3 "msg"="Database (postgres::host=localhost port=5432 dbname=glauth user=glauth password=<censored> sslmode=disable ) Plugin: Ready"This contains the database password for the service on the default log level settings. This seems distinctly inadvisable.
Note: Previous versions of this issue text had the passwords accidentally left in in some instances. These passwords have been cycled and the database is only available through localhost anyway.