"Magnus Hagander" <[EMAIL PROTECTED]> writes: > For the long term I was thinking something like "restrict_superuser", > which would disable both read and write, and COPY, and untrusted PL > creation, etc, etc. But that's not for 8.1.
That's exactly what I'm talking about. >> Also, as I already said, marking it as PGC_POSTMASTER is >> simply not adequate security. Once we have some sort of >> remote admin feature, I would expect it to support adjustment >> of even postmaster-level options (this would mean forcing a >> database restart of course) --- you can hardly say that you >> have a complete remote admin solution if you can't change >> shared_buffers or max_connections. > The point is you cannot *enable* it once it is *disabled*. Thus you > cannot *elevate* your privileges. Thus not a security issue. It will be as soon as we have remote admin. > Once we have a "real remote admin API", it becomes an argument, and it > will have to be adjusted. But we don't have that today, and I see no > need to create a new guc category just for this. After all, some of > these functions will probably go away completely once we have such an > API. None of these functions are getting into 8.1 anyway; we should be designing the long-term solution not making up short-lived hacks. regards, tom lane ---------------------------(end of broadcast)--------------------------- TIP 3: Have you checked our extensive FAQ? http://www.postgresql.org/docs/faq