On 01/05/2017 08:27 AM, Robert Haas wrote: > There's also the question of whether opening up the ability to do > this sort of thing from the SQL level is a security hazard,
It unquestionably is. > but we've already gone fairly far down the path of assuming that > there's not a tremendous amount of privilege separation between the > operating system user account and the database superuser, I think this is a very bad assumption. > so maybe the answer is that as things stand it's not expanding the > vulnerability surface very much. Perhaps as things currently stand this is true. > One thing I'm kind of happy about is that, as far as I can see, there > hasn't been much backlash against the existing ALTER SYSTEM, either > from a security point of view or a user-confusion point of view. Possibly only because there are workarounds possible using hooks and extension code. Personally I think we should have an official way to disable ALTER SYSTEM and I would like the same for pg_hba.conf related functionality. Joe -- Crunchy Data - http://crunchydata.com PostgreSQL Support for Secure Enterprises Consulting, Training, & Open Source Development
signature.asc
Description: OpenPGP digital signature
