Stephen Frost <sfr...@snowman.net> writes: > I'm guessing no, which essentially means that *we* consider access to > lo_import/lo_export to be equivilant to superuser and therefore we're > not going to implement anything to try and prevent the user who has > access to those functions from becoming superuser. If we aren't willing > to do that, then how can we really say that there's some difference > between access to these functions and being a superuser?
We seem to be talking past each other. Yes, if a user has malicious intentions, it's possibly to parlay lo_export into obtaining a superuser login (I'm less sure that that's necessarily true for lo_import). That does NOT make it "equivalent", except perhaps in the view of someone who is only considering blocking malevolent actors. It does not mean that there's no value in preventing a task that needs to run lo_export from being able to accidentally destroy any data in the database. There's a range of situations where you are concerned about accidents and errors, not malicious intent; but your argument ignores those use-cases. To put it more plainly: your argument is much like saying that a person who knows a sudo password might as well do everything they ever do as root. regards, tom lane -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers