Gevik Babakhani wrote:
Removing or disabling the test without removing some of the dangerous
capabilities would be a major security hole. For example: postgres can
deliver to any authenticated user the contents of any text file on the
system that the database user can read. Do you want the responsibility
of allowing that for any file the administrator can read? No, I thought
not. Neither do we.
True. This means that one just cannot "copy over" PG files and run the
database without creating additional users and services.
Just looking at how much windows standalone apps are being developed
which potentially could use an "embedded" or "light" version of PG, I
still think the option should be considered. Perhaps in a more
restricted or striped-down version of PG. (PG Light or something).
You need to start with a security audit to work out which capabilities
need to be disabled. COPY to and from files would be one obvious area,
loading user modules might be another. The point is that we have chosen
to avoid a large set of problems by forbidding running with elevated
privileges, and if you want to relax that you need to identify the
members of that set of problems, in some fairly formal way.
Frankly, if I were creating an app that needed an embedded db, I would
probably not start with postgres. Sqlite was created just for this
purpose. Ideally, for an embedded db you want to avoid the need for a
server at all, if possible. That's never going to happen with postgres.
---------------------------(end of broadcast)---------------------------
TIP 5: don't forget to increase your free space map settings