On Fri, Nov 10, 2017 at 10:34 AM, Tom Lane <t...@sss.pgh.pa.us> wrote:
> I think as far as that goes, we can just change to "Therefore, by default
> their use is restricted ...".  Then I suggest adding a <caution> para
> after that, with wording along the lines of
>     It is possible to GRANT use of server-side lo_import and lo_export to
>     non-superusers, but careful consideration of the security implications
>     is required.  A malicious user of such privileges could easily parlay
>     them into becoming superuser (for example by rewriting server
>     configuration files), or could attack the rest of the server's file
>     system without bothering to obtain database superuser privileges as
>     such.  Access to roles having such privilege must therefore be guarded
>     just as carefully as access to superuser roles.  Nonetheless, if use
>     of server-side lo_import or lo_export is needed for some routine task,
>     it's safer to use a role of this sort than full superuser privilege,
>     as that helps to reduce the risk of damage from accidental errors.

+1.  That seems like great language to me.

Robert Haas
EnterpriseDB: http://www.enterprisedb.com
The Enterprise PostgreSQL Company

Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:

Reply via email to