The bottom line is that I have no problem with making this change, but I
want to be sure it is a full solution we aren't going to have to revisit
later.  I don't want to make the change and then find out we rushed it
and have to make more adjustments in later releases.

---------------------------------------------------------------------------

Tom Lane wrote:
> Bruce Momjian <[EMAIL PROTECTED]> writes:
> > Tom Lane wrote:
> >> started because setting these variables via ALTER USER fails to work.
> 
> > It fails to work if logging was already on and someone wants to turn it
> > off via ALTER USER, and that matches the expected behavior.
> 
> Not if a superuser does it; superusers should be allowed to set it
> however they want.  In current code a superuser can't even set it
> that way for himself, let alone for other nonprivileged users.
> You seem to define "expected behavior" as "whatever the code does now",
> but in point of fact it's got lots of deficiencies.
> 
> > Well, you have just made the system less secure by creating that
> > function.  Why didn't you create a function that has the existing
> > behavior of only allowing users to increase the log level?
> 
> I repeat my point: I don't think DBAs actually need that.  In the
> function as illustrated, I gave joe_user (and nobody else) the choice
> between 'all' and 'ddl' (and nothing else), where I suppose 'ddl' is the
> global default.  This is in fact a whole lot *more* secure than the
> existing behavior, in the sense that I can constrain what's allowed a
> lot more.
> 
> If I later decide I want 'mod' as the global default, I can alter the
> function to map it that way, and joe_user's application is entirely
> unaffected.  This is *not* true if I expect joe_user's app to set the
> variable directly.  He has to go change his app to conform to the new
> global default.
> 
> >> think so.  I think that in the field, people are going to have at most
> >> a couple of logging configurations they want to allow users to select,
> >> and they will use code not significantly more complex than the above.
> 
> > Can you show me the function?
> 
> I did.
> 
> > You should ask on general where
> > we usually do such polls of feature changes?
> 
> Where was the poll in which we decided that the logging variables needed
> to be secured at all?  In 7.3 these variables were all plain USERSET.
> 
>                       regards, tom lane
> 

-- 
  Bruce Momjian                        |  http://candle.pha.pa.us
  [EMAIL PROTECTED]               |  (610) 359-1001
  +  If your life is a hard drive,     |  13 Roberts Road
  +  Christ can be your backup.        |  Newtown Square, Pennsylvania 19073

---------------------------(end of broadcast)---------------------------
TIP 5: Have you checked our extensive FAQ?

               http://www.postgresql.org/docs/faqs/FAQ.html

Reply via email to