[rt-users] Logging DB password in http-error.log

Ruslan Zakirov ruslan.zakirov at gmail.com
Thu Mar 9 17:07:31 EST 2006


You can see this only when Apache::DBI::DEBUG variable set to 1 or
greater, by default it's 0 and RT doesn't change it. Grep for this var
in your code or in httpd confs.

On 3/9/06, Jens Andersson <jens.andersson at teleservice.net> wrote:
> > > We get this message in our apache http-error.log all the time.
> > >
> > > 49694 Apache::DBI             need ping: 49694 Apache::DBI
> > > new connect to
> > > 'dbname=rt3;host=localhost^\rt_user^\password^\AutoCommit=1^
> > > \PrintError=
> > > 1^\Username=rt_user'
> > >
> > > Why are the password logged in plain text?
> >
> > Did you set LogLevel to 'debug' somewhere? And why do
> > untrustworthy people have access to your log files?
>
> No, no debug loglevel.
>
> And of course no, there are no untrustworthy people that have access to
> our log files but passwords shouldn't be stored in our log files.
>
> // Jens
> _______________________________________________
> http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users
>
> Community help: http://wiki.bestpractical.com
> Commercial support: sales at bestpractical.com
>
>
> Discover RT's hidden secrets with RT Essentials from O'Reilly Media.
> Buy a copy at http://rtbook.bestpractical.com
>
>
> We're hiring! Come hack Perl for Best Practical: http://bestpractical.com/about/jobs.html
>


--
Best regards, Ruslan.


More information about the rt-users mailing list