On 07/18/2018 04:25 PM, Tom Lane wrote:
Alvaro Herrera <alvhe...@2ndquadrant.com> writes:
Seems to me that passing %-specifiers to the command would make it more
useful (%u for "user", "host" etc) -- your command could refuse to give
you a password for the superuser account for instance but grant one for
a read-only user.
It would also provide a *very* fertile source of shell-script-injection
vulnerabilities. (Whaddya mean, you tried to use a user name with a
quote mark in it?)
This is exactly the kind of area in which I'm concerned for the
possibility of sloppily-written scripts being a net negative for
security.
Although I appreciate the concern, can we not worried about this? Your
argument basically boils down to: Dumb will be Dumb. That will not
change no matter what we do as is obvious by the number of people STILL
using postgres as their connected web app user. The usability of this
feature if fleshed out correctly is pretty large.
JD
regards, tom lane
--
Command Prompt, Inc. || http://the.postgres.company/ || @cmdpromptinc
*** A fault and talent of mine is to tell it exactly how it is. ***
PostgreSQL centered full stack support, consulting and development.
Advocate: @amplifypostgres || Learn: https://postgresconf.org
***** Unless otherwise stated, opinions are my own. *****
