Skip site navigation (1) Skip section navigation (2)

Re: Proposed patch to remove USERLIMIT

From: Bruce Momjian <pgman(at)candle(dot)pha(dot)pa(dot)us>
To: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
Cc: pgsql-patches(at)postgresql(dot)org
Subject: Re: Proposed patch to remove USERLIMIT
Date: 2004-11-11 16:27:59
Message-ID: 200411111627.iABGRxn22594@candle.pha.pa.us (view raw or flat)
Thread:
Lists: pgsql-patches
The bottom line is that I have no problem with making this change, but I
want to be sure it is a full solution we aren't going to have to revisit
later.  I don't want to make the change and then find out we rushed it
and have to make more adjustments in later releases.

---------------------------------------------------------------------------

Tom Lane wrote:
> Bruce Momjian <pgman(at)candle(dot)pha(dot)pa(dot)us> writes:
> > Tom Lane wrote:
> >> started because setting these variables via ALTER USER fails to work.
> 
> > It fails to work if logging was already on and someone wants to turn it
> > off via ALTER USER, and that matches the expected behavior.
> 
> Not if a superuser does it; superusers should be allowed to set it
> however they want.  In current code a superuser can't even set it
> that way for himself, let alone for other nonprivileged users.
> You seem to define "expected behavior" as "whatever the code does now",
> but in point of fact it's got lots of deficiencies.
> 
> > Well, you have just made the system less secure by creating that
> > function.  Why didn't you create a function that has the existing
> > behavior of only allowing users to increase the log level?
> 
> I repeat my point: I don't think DBAs actually need that.  In the
> function as illustrated, I gave joe_user (and nobody else) the choice
> between 'all' and 'ddl' (and nothing else), where I suppose 'ddl' is the
> global default.  This is in fact a whole lot *more* secure than the
> existing behavior, in the sense that I can constrain what's allowed a
> lot more.
> 
> If I later decide I want 'mod' as the global default, I can alter the
> function to map it that way, and joe_user's application is entirely
> unaffected.  This is *not* true if I expect joe_user's app to set the
> variable directly.  He has to go change his app to conform to the new
> global default.
> 
> >> think so.  I think that in the field, people are going to have at most
> >> a couple of logging configurations they want to allow users to select,
> >> and they will use code not significantly more complex than the above.
> 
> > Can you show me the function?
> 
> I did.
> 
> > You should ask on general where
> > we usually do such polls of feature changes?
> 
> Where was the poll in which we decided that the logging variables needed
> to be secured at all?  In 7.3 these variables were all plain USERSET.
> 
> 			regards, tom lane
> 

-- 
  Bruce Momjian                        |  http://candle.pha.pa.us
  pgman(at)candle(dot)pha(dot)pa(dot)us               |  (610) 359-1001
  +  If your life is a hard drive,     |  13 Roberts Road
  +  Christ can be your backup.        |  Newtown Square, Pennsylvania 19073

In response to

Responses

pgsql-patches by date

Next:From: Patrick B KellyDate: 2004-11-11 16:53:00
Subject: Re: multiline CSV fields
Previous:From: Bruce MomjianDate: 2004-11-11 16:08:15
Subject: Re: Proposed patch to remove USERLIMIT

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group