Gevik Babakhani wrote:
Removing or disabling the test without removing some of the dangerous capabilities would be a major security hole. For example: postgres can deliver to any authenticated user the contents of any text file on the system that the database user can read. Do you want the responsibility of allowing that for any file the administrator can read? No, I thought not. Neither do we.

True. This means that one just cannot "copy over" PG files and run the
database without creating additional users and services.
Just looking at how much windows standalone apps are being developed
which potentially could use an "embedded" or "light" version of PG,  I
still think the option should be considered. Perhaps in a more
restricted or striped-down version of PG. (PG Light or something).

You need to start with a security audit to work out which capabilities need to be disabled. COPY to and from files would be one obvious area, loading user modules might be another. The point is that we have chosen to avoid a large set of problems by forbidding running with elevated privileges, and if you want to relax that you need to identify the members of that set of problems, in some fairly formal way.

Frankly, if I were creating an app that needed an embedded db, I would probably not start with postgres. Sqlite was created just for this purpose. Ideally, for an embedded db you want to avoid the need for a server at all, if possible. That's never going to happen with postgres.



---------------------------(end of broadcast)---------------------------
TIP 5: don't forget to increase your free space map settings

Reply via email to