"Magnus Hagander" <[EMAIL PROTECTED]> writes:
> For the long term I was thinking something like "restrict_superuser",
> which would disable both read and write, and COPY, and untrusted PL
> creation, etc, etc. But that's not for 8.1. 

That's exactly what I'm talking about.

>> Also, as I already said, marking it as PGC_POSTMASTER is 
>> simply not adequate security.  Once we have some sort of 
>> remote admin feature, I would expect it to support adjustment 
>> of even postmaster-level options (this would mean forcing a 
>> database restart of course) --- you can hardly say that you 
>> have a complete remote admin solution if you can't change 
>> shared_buffers or max_connections.

> The point is you cannot *enable* it once it is *disabled*. Thus you
> cannot *elevate* your privileges. Thus not a security issue.

It will be as soon as we have remote admin.

> Once we have a "real remote admin API", it becomes an argument, and it
> will have to be adjusted. But we don't have that today, and I see no
> need to create a new guc category just for this. After all, some of
> these functions will probably go away completely once we have such an
> API.

None of these functions are getting into 8.1 anyway; we should be
designing the long-term solution not making up short-lived hacks.

                        regards, tom lane

---------------------------(end of broadcast)---------------------------
TIP 3: Have you checked our extensive FAQ?


Reply via email to