Re: Remote administration functionality

On Sat, Jul 30, 2005 at 09:35:16PM -0700, Steve Atkins wrote:
> On Sat, Jul 30, 2005 at 11:39:20PM -0400, Bruce Momjian wrote:
> > Let me try to outline where I think our goals are for remote
> > administration. I will not comment on Dave's analysis of the patch
> > review process, but I think he has some valid points that this patch was
> > not treated properly.
> >
> > Basically, I think everyone wants remote administration. Remote
> > administration requires several things:
> >
> > o edit postgresql.conf
> > o edit pg_hba.conf
> > o reload the config files
> > o restart the server (for config variables requiring restart)
> > o view log files
> > o recycle log files
> > o rename/remove log files
> >
> > All these items are on the TODO list already.
>
> My security spider-sense tingles when I see the ability for a remote
> attacker to not only completely override password, certificate and IP
> absed authentication but also to easily remove logfiles.

Yes, I'd trim that part to support only rename of log files, and
constrain the destination to the log directory. (I guess I don't need
to mention that all log file operations are already constrained to files
inside the log directory.)

For the "edit postgresql.conf" part I guess it would be important to
have some settings that would not be changeable via this interface.

--
Alvaro Herrera (<alvherre[a]alvh.no-ip.org>)
"La primera ley de las demostraciones en vivo es: no trate de usar el sistema.
Escriba un guión que no toque nada para no causar daños." (Jakob Nielsen)