Magnus Hagander wrote:
> > > > Also, as I already said, marking it as PGC_POSTMASTER is
> > simply not
> > > > adequate security. Once we have some sort of remote
> > admin feature,
> > > > I would expect it to support adjustment of even postmaster-level
> > > > options (this would mean forcing a database restart of
> > course) ---
> > > > you can hardly say that you have a complete remote admin
> > solution if
> > > > you can't change shared_buffers or max_connections.
> > >
> > > The point is you cannot *enable* it once it is *disabled*. Thus you
> > > cannot *elevate* your privileges. Thus not a security issue.
> > I think any secure solution is going to have to block all
> > write access to postgresql.conf, and that includes all the
> > COPY TO and all the untrusted languages.
> Exactly. But we won't get that for 8.1. So for now, we block all write
> access through *new* functions, per the "let's at least not add more
> security holes" rule.
As far as I know, the only new functionality the patch adds _over_ copy
is the ability to write nulls, and rename/unlink. Should we just throw
an error when writing null bytes?
Bruce Momjian | http://candle.pha.pa.us
email@example.com | (610) 359-1001
+ If your life is a hard drive, | 13 Roberts Road
+ Christ can be your backup. | Newtown Square, Pennsylvania 19073
---------------------------(end of broadcast)---------------------------
TIP 5: don't forget to increase your free space map settings