Simon Riggs <> writes:
> [ good general plan ]

> 3. Make a list of all functions that would cause security problems.
> One by one, precisely. If we did remove all superuser checks we would
> need this list documented to advise people of the risks, so it must
> exist before any commit can be made, assuming we believe in
> documentation. Notice that I am after risk documentation,

Yeah, I think documentation is the crux of the issue.  If there is some
non-obvious reason why letting somebody use pg_ls_dir() is more of a
security hazard than it appears on the surface, the answer is to document
that so DBAs can decide for themselves whether to take the risk.

Count me +1 for removing hard-wired superuser checks, but carefully
and with an overall plan.

                        regards, tom lane

Sent via pgsql-hackers mailing list (
To make changes to your subscription:

Reply via email to