All passwords in logs


#1

Hi,

A question I might have asked already but I still don’t have an answer:

How can I prevent all my users’ passwords to end in the log files?
Rails logs all params, and that puts all passwords in the logs…

I’d prefer to not stop the logging :slight_smile:
Is it possible to just not log the params? (Or can I use this method?
http://wiki.rubyonrails.com/rails/pages/HowtoSelectivelySuppressLogging
)

Thanks

raph


#2

On 11/18/05, Raphael B. removed_email_address@domain.invalid wrote:

How can I prevent all my users’ passwords to end in the log files?
Rails logs all params, and that puts all passwords in the logs…

I’d prefer to not stop the logging :slight_smile:
Is it possible to just not log the params?

See http://dev.rubyonrails.org/ticket/1897. I’ve prepared a plugin
that does the same thing as the patch in that ticket, but I haven’t
publicly released it yet. I can probably put it up this weekend if
people are interested.


#3

Jeremy E. <jeremyevans0@…> writes:

See http://dev.rubyonrails.org/ticket/1897. I’ve prepared a plugin
that does the same thing as the patch in that ticket, but I haven’t
publicly released it yet. I can probably put it up this weekend if
people are interested.

I saw your ticket previously: it’s a clever idea. I’m of two minds on
whether
or not the problem is bad enough to justify an overall change–afterall,
by
default the logging threshold is jacked up high enough in production
mode that
parameters (including passwords)–don’t get logged. There are cases,
however,
where your change is just what’s needed, and a plug-in would be the
perfect
solution.

I guess that’s a long way of saying, “yes, please, people are
interested,
release the plug-in!”

–Forrest


#4

Justin F. <justin@…> writes:

[…] by
default the logging threshold is jacked up high enough in production mode
that parameters (including passwords)–don’t get logged.

Is this documented anywhere? I was just looking in the configuration
section in the Agile Rails book for info on how to minimise logging in
production, and didn’t find anything.

Trying running in production mode under WEBrick, just to see how it
behaved, I was still getting params and SQL in the production.log.

The only place I’ve seen it documented is in comments in the
config/environment.rb file, where it says:

Force all environments to use the same logger level

(by default production uses :info, the others :debug)

config.log_level = :debug

I didn’t try running on production (I’m still developing my app :wink: ),
but I
tried inserting
config.log_level = :info
into environment.rb, and parameter values were no longer written to the
log file
(and neither was almost anything else). So I can confirm that the
mechanism is
there and that it works, but I haven’t actually tested the statement in
the
comments that “by default production uses :info”.

–Forrest


#5

Forrest T. wrote:

[…] by
default the logging threshold is jacked up high enough in production mode that
parameters (including passwords)–don’t get logged.

Is this documented anywhere? I was just looking in the configuration
section in the Agile Rails book for info on how to minimise logging in
production, and didn’t find anything.

Trying running in production mode under WEBrick, just to see how it
behaved, I was still getting params and SQL in the production.log.

Traditionally one of the arguments in favour of using POST in web
applications has been that POSTED data doesn’t appear in the server log.
I would like this to be true (or, at least, possible) for Rails
applications.

regards

Justin


#6

On Nov 19, 2005, at 9:43 AM, Forrest T. wrote:

production, and didn’t find anything.

comments that “by default production uses :info”.

–Forrest

Hey-

I am using this snippet in environment.rb to set the production log

level to FATAL so that only real errors and stack traces go to the
production.log. But keep in mind that the app I am using this in is
running on rails .13.1. I’m not sure if it is still valid to use in .
14.3:

Configure defaults if the included environment did not.

begin
RAILS_DEFAULT_LOGGER = Logger.new("#{RAILS_ROOT}/log/#
{RAILS_ENV}.log")
RAILS_DEFAULT_LOGGER.level = (RAILS_ENV == ‘production’ ?
Logger::FATAL : Logger::DEBUG)
rescue StandardError
RAILS_DEFAULT_LOGGER = Logger.new(STDERR)
RAILS_DEFAULT_LOGGER.level = Logger::WARN
RAILS_DEFAULT_LOGGER.warn(
"Rails Error: Unable to access log file. Please ensure that log/#
{RAILS_ENV}.log exists and is chmod 0666. " +
“The log level has been raised to WARN and the output directed
to STDERR until the problem is fixed.”
)
end

HTH-

-Ezra Z.
WebMaster
Yakima Herald-Republic Newspaper
removed_email_address@domain.invalid
509-577-7732


#7

Raphael B. <rblists@…> writes:

How can I prevent all my users’ passwords to end in the log files?
Rails logs all params, and that puts all passwords in the logs…

I’d prefer to not stop the logging
Is it possible to just not log the params? (Or can I use this method?
http://wiki.rubyonrails.com/rails/pages/HowtoSelectivelySuppressLogging

By default, in the development environment the logging threshold is set
to
“debug”, which shows almost everything–including user passwords
contained in
parameter hashes (scarry, isn’t it?).

Generally, this isn’t too much of a problem, though–it’s the
“development”
enviroment, after all, and when you’re doing development you usually DO
want to
see all that stuff. Fortunately, by default, the logging threshold is
set to
“info” for the production environment, which does NOT log parameter
hashes, so
all should be well and secure, for normal usage.

If for some reason you want to use a different logging level than these
defaults, you just add a line to the appropriate environment file
(config/environments/development.rb, for example) that says:
config.log_level = :info # or :error, or :warn, or whatever
That way you can set the logging level to whatever level shows you
enough
information for your needs, but not so much as to be insecure.

The reference you cite to the “silence” methods for ActiveRecord and
ActionController can be useful for temporarily changing the logging
level inside
a block of code, but it won’t work for blocking parameter hashes from
being
logged because that takes place before your ActionController object is
instantiated, so there’s nothing in your controller that silence can
wrap a
block around that would make a difference. The silence methods are
generally
only useful for stopping database field contents from being logged–but
if
you’re using salted and hashed passwords, that shouldn’t be a big deal,
anyway.

One last note: there’s an active ticket in the Rails tracking system
about a
hash that specifically hides passwords from being logged: see
http://dev.rubyonrails.org/ticket/1897.

–Forrest


#8

±Le 18/11/2005 15:48 +0100, Raphael B. a dit :
| Hi,
|
| A question I might have asked already but I still don’t have an answer:
|
| How can I prevent all my users’ passwords to end in the log files?
| Rails logs all params, and that puts all passwords in the logs…

You could do something like digest-md5 or cram-md5 with the client side
in
javascript. I did that some time ago for some company who did not want
root
to be able to see the passwords travel anywhere :slight_smile: