--On 13. November 2009 19:08:22 -0500 Tom Lane <t...@sss.pgh.pa.us> wrote:
It looks to me like the code in AlterSetting() will allow an ordinary
user to blow away all settings for himself. Even those that are for
SUSET variables and were presumably set for him by a superuser. Isn't
this a security hole? I would expect that an unprivileged user should
not be able to change such settings, not even to the extent of
reverting to the installation-wide default.
I agree. A quick check shows that resetting or changing a single parameter
is not allowed, so this seems inconsistent anyways. Maybe AlterSetting()
should be more strict and pick only those settings, which are safe for
ordinary users to reset?
--
Thanks
Bernd
--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers
