> > > Also, as I already said, marking it as PGC_POSTMASTER is > simply not > > > adequate security. Once we have some sort of remote > admin feature, > > > I would expect it to support adjustment of even postmaster-level > > > options (this would mean forcing a database restart of > course) --- > > > you can hardly say that you have a complete remote admin > solution if > > > you can't change shared_buffers or max_connections. > > > > The point is you cannot *enable* it once it is *disabled*. Thus you > > cannot *elevate* your privileges. Thus not a security issue. > > I think any secure solution is going to have to block all > write access to postgresql.conf, and that includes all the > COPY TO and all the untrusted languages.
Exactly. But we won't get that for 8.1. So for now, we block all write access through *new* functions, per the "let's at least not add more security holes" rule. //Magnus ---------------------------(end of broadcast)--------------------------- TIP 1: if posting/reading through Usenet, please send an appropriate subscribe-nomail command to [EMAIL PROTECTED] so that your message can get through to the mailing list cleanly