Tom Lane wrote:
Andrew Dunstan <[EMAIL PROTECTED]> writes:
Martijn van Oosterhout wrote:
Maybe someone should look into enabling slony to not run as a
superuser?
That was my initial reaction to this suggestion. But then I realised
that it might well make sense to have a separate connection-limited
superuser for Slony purposes (or any other special purpose) alongside an
unlimited superuser.
Actually, the real question in my mind is why Slony can't be trusted
to use the right number of connections to start with. If you don't
trust it that far, what are you doing letting it into your database as
superuser to start with?
As for "connection-limited superuser", if you can't do ALTER USER SET
on yourself then you aren't a superuser, so any such restriction is
illusory anyway.
As a protection against malice, yes. I think Rod was more interested in
some protection against stupidity.
Maybe the real answer is that Slony should connect as a non-superuser
and call security definer functions for the privileged things it needs
to do.
cheers
andrew
---------------------------(end of broadcast)---------------------------
TIP 2: Don't 'kill -9' the postmaster
