* Tom Lane (t...@sss.pgh.pa.us) wrote: > Andres Freund <and...@anarazel.de> writes: > > ... We don't prevent the user from making the > > configuration file world-writable either, > > Maybe we should. It wasn't an issue originally, because the config files > were necessarily inside $PGDATA which we restrict permissions on. But > these days you can place the config files in places where untrustworthy > people could get at them.
No, we should be improving our support of systems which provide more specific groups, not destroying it. Being able to run backups as a user who is not able to modify the database would be great too, and that case isn't covered by your approach to "allow group rights if the file is owned by root." Further, the notion that *this* is the footgun is completely off the reservation- if the files have been changed to allow untrusted users to have access to them, there isn't diddly we can do about it. All we're doing with this is imposing our own idea of what the system policy should be, even though there are clear examples where that's just blatently wrong. If we really want to force these checks to happen (and I'm not convinced that they're actually useful at all), then we need to provide a way for users and distributions to control the specifics of the checks as they chose. Maybe that's a command-line switch instead of a GUC, or it's something else, but there clearly isn't "one true way" here and we should be flexible. Thanks! Stephen
Description: Digital signature