Magnus Hagander wrote: > > > > > Also, as I already said, marking it as PGC_POSTMASTER is > > simply not > > > > adequate security. Once we have some sort of remote > > admin feature, > > > > I would expect it to support adjustment of even postmaster-level > > > > options (this would mean forcing a database restart of > > course) --- > > > > you can hardly say that you have a complete remote admin > > solution if > > > > you can't change shared_buffers or max_connections. > > > > > > The point is you cannot *enable* it once it is *disabled*. Thus you > > > cannot *elevate* your privileges. Thus not a security issue. > > > > I think any secure solution is going to have to block all > > write access to postgresql.conf, and that includes all the > > COPY TO and all the untrusted languages. > > Exactly. But we won't get that for 8.1. So for now, we block all write > access through *new* functions, per the "let's at least not add more > security holes" rule.
As far as I know, the only new functionality the patch adds _over_ copy is the ability to write nulls, and rename/unlink. Should we just throw an error when writing null bytes? -- Bruce Momjian | http://candle.pha.pa.us pgman@candle.pha.pa.us | (610) 359-1001 + If your life is a hard drive, | 13 Roberts Road + Christ can be your backup. | Newtown Square, Pennsylvania 19073 ---------------------------(end of broadcast)--------------------------- TIP 5: don't forget to increase your free space map settings