On Sat, Nov 11, 2017 at 9:01 AM, Michael Paquier <michael.paqu...@gmail.com> wrote: > On Sat, Nov 11, 2017 at 12:50 AM, Robert Haas <robertmh...@gmail.com> wrote: >> On Fri, Nov 10, 2017 at 10:34 AM, Tom Lane <t...@sss.pgh.pa.us> wrote: >>> I think as far as that goes, we can just change to "Therefore, by default >>> their use is restricted ...". Then I suggest adding a <caution> para >>> after that, with wording along the lines of >>> >>> It is possible to GRANT use of server-side lo_import and lo_export to >>> non-superusers, but careful consideration of the security implications >>> is required. A malicious user of such privileges could easily parlay >>> them into becoming superuser (for example by rewriting server >>> configuration files), or could attack the rest of the server's file >>> system without bothering to obtain database superuser privileges as >>> such. Access to roles having such privilege must therefore be guarded >>> just as carefully as access to superuser roles. Nonetheless, if use >>> of server-side lo_import or lo_export is needed for some routine task, >>> it's safer to use a role of this sort than full superuser privilege, >>> as that helps to reduce the risk of damage from accidental errors. >> >> +1. That seems like great language to me. > > +1. Not convinced that mentioning wrappers is worth the complication. > Experienced admins likely already know such matters.
For archives' sake, doc improvements are committed as of 6d77652. -- Michael
