On Sun, Jun 21, 2020 at 10:21 PM raf wrote:
> Laurenz Albe wrote:
>
> > > But only mostly useless. :-) There are ways to limit the power of the
> > > superuser. On Linux, for instance, "sysctl kernel.yama.ptrace_scope=3"
> > > prevents tracing, debugging, and reading another process's memory, eve
Laurenz Albe wrote:
> On Mon, 2020-06-22 at 09:44 +1000, raf wrote:
> > A superuser can access files and start programs on the server machine.
> > > A dedicated superuser may for example attach to PostgreSQL with a debugger
> > > and read the value of the variable.
> > >
> > > And if that doesn't
On Mon, 2020-06-22 at 09:44 +1000, raf wrote:
> A superuser can access files and start programs on the server machine.
> > A dedicated superuser may for example attach to PostgreSQL with a debugger
> > and read the value of the variable.
> >
> > And if that doesn't work, there may be other things
Laurenz Albe wrote:
> On Wed, 2020-06-17 at 13:23 -0700, Michel Pelletier wrote:
> > In my extension pgsodium I'm defining a custom variable at startup to store
> > a key:
> >
> > https://github.com/michelp/pgsodium/blob/master/src/pgsodium.c#L1107
> >
> > I'm using the flags GUC_NO_SHOW_ALL |
On Thu, Jun 18, 2020 at 7:47 AM Laurenz Albe
wrote:
> On Wed, 2020-06-17 at 13:23 -0700, Michel Pelletier wrote:
> >
> > Any thoughts on weaknesses to this approach would be welcome. Thanks!
>
> A superuser can access files and start programs on the server machine.
>
> A dedicated superuser ma
On Wed, Jun 17, 2020 at 3:55 PM Tom Lane wrote:
> Michel Pelletier writes:
> > In my extension pgsodium I'm defining a custom variable at startup to
> store
> > a key:
>
> > https://github.com/michelp/pgsodium/blob/master/src/pgsodium.c#L1107
>
> > I'm using the flags GUC_NO_SHOW_ALL | GUC_NO_RE
On Wed, 2020-06-17 at 13:23 -0700, Michel Pelletier wrote:
> In my extension pgsodium I'm defining a custom variable at startup to store a
> key:
>
> https://github.com/michelp/pgsodium/blob/master/src/pgsodium.c#L1107
>
> I'm using the flags GUC_NO_SHOW_ALL | GUC_NO_RESET_ALL | GUC_NOT_IN_SAMPL
Michel Pelletier writes:
> In my extension pgsodium I'm defining a custom variable at startup to store
> a key:
> https://github.com/michelp/pgsodium/blob/master/src/pgsodium.c#L1107
> I'm using the flags GUC_NO_SHOW_ALL | GUC_NO_RESET_ALL | GUC_NOT_IN_SAMPLE
> | GUC_DISALLOW_IN_FILE, and a cust
In my extension pgsodium I'm defining a custom variable at startup to store
a key:
https://github.com/michelp/pgsodium/blob/master/src/pgsodium.c#L1107
I'm using the flags GUC_NO_SHOW_ALL | GUC_NO_RESET_ALL | GUC_NOT_IN_SAMPLE
| GUC_DISALLOW_IN_FILE, and a custom "no show" show hook that obscures
