The mailing list for listmasters using Sympa

[Jeff Abbott <address@concealed>]

Peck Chris wrote:

> This is probably worth noting, as, I just happened to notice it while 
> debugging something...
>
> I'm running sympa v5.2.4,
>
> I just noticed that when log_level 2 or higher is configured in 
> sympa.conf, wwsympa logs userids and passwords.

We had noticed this here, as well.  Our solution is to not run with 
debug-levels of logging in our production environment, since we have a 
test environment in which we can do such things where the logs never 
leave the system.  That might not be a possibility for everyone, 
however, and I think it might be better if passwords were stripped or 
obfuscated in the logs even at high levels of output.  There should 
always be a level that logs them, however, for the purpose of 
troubleshooting password- and authentication-related problems, with a 
big note by that logging level stating that it's a bad idea to use in a 
production system.

Thanks,
Jeff