On Fri, Nov 10, 2017 at 10:34 AM, Tom Lane <t...@sss.pgh.pa.us> wrote: > I think as far as that goes, we can just change to "Therefore, by default > their use is restricted ...". Then I suggest adding a <caution> para > after that, with wording along the lines of > > It is possible to GRANT use of server-side lo_import and lo_export to > non-superusers, but careful consideration of the security implications > is required. A malicious user of such privileges could easily parlay > them into becoming superuser (for example by rewriting server > configuration files), or could attack the rest of the server's file > system without bothering to obtain database superuser privileges as > such. Access to roles having such privilege must therefore be guarded > just as carefully as access to superuser roles. Nonetheless, if use > of server-side lo_import or lo_export is needed for some routine task, > it's safer to use a role of this sort than full superuser privilege, > as that helps to reduce the risk of damage from accidental errors.
+1. That seems like great language to me. -- Robert Haas EnterpriseDB: http://www.enterprisedb.com The Enterprise PostgreSQL Company -- Sent via pgsql-hackers mailing list (firstname.lastname@example.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers