On 02/17/2016 03:34 PM, Josh berkus wrote: > On 02/17/2016 03:02 PM, Tom Lane wrote: >> Joe Conway <m...@joeconway.com> writes: >>> On 02/17/2016 02:14 PM, Tom Lane wrote: >>>> I thought we'd agreed on requiring superuser access for this function. >>>> I concur that letting just anyone see the config data is inappropriate. >> >>> It does not let anyone see config data out of the box: >> >>> + CREATE VIEW pg_config AS >>> + SELECT * FROM pg_config(); >>> + >>> + REVOKE ALL on pg_config FROM PUBLIC; >>> + REVOKE EXECUTE ON FUNCTION pg_config() FROM PUBLIC; >> >> Ah, that's fine. I'd looked for a superuser() check and not seen one, >> but letting the SQL permissions system handle it seems good enough. > > What I like about this is that if I want to expose it to a > non-superuser, I can just do a GRANT instead of needing to write a > security definer view.
Which was my reason for doing it this way, although that GRANT will not get preserved by pg_dump currently. Stephen Frost is working on a patch to change/fix that though (see the "Additional role attributes && superuser review" thread), which I believe he intends to get done RSN and into 9.6. Joe -- Crunchy Data - http://crunchydata.com PostgreSQL Support for Secure Enterprises Consulting, Training, & Open Source Development
Description: OpenPGP digital signature