| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | "Magnus Hagander" <mha(at)sollentuna(dot)net> |
| Cc: | "PostgreSQL-patches" <pgsql-patches(at)postgresql(dot)org> |
| Subject: | Re: Updated instrumentation patch |
| Date: | 2005-07-30 15:07:44 |
| Message-ID: | 26887.1122736064@sss.pgh.pa.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-patches |
"Magnus Hagander" <mha(at)sollentuna(dot)net> writes:
> Per recent discussion, here is yet another updated version of the
> instrumentation patch. Changes:
> * Added guc option "disable_remote_admin", that disables any write
> operations (write, unlink, rename) even for the superuser. Set as
> PGC_POSTMASTER so it cannot be changed remotely.
I was envisioning it as disabling all filesystem access --- read as well
as write. Essentially the abstract concept I want is that with this on,
even a superuser cannot use Postgres to get at the underlying operating
system. A name like "enable_filesystem_access" would probably be more
appropriate.
Also, as I already said, marking it as PGC_POSTMASTER is simply not
adequate security. Once we have some sort of remote admin feature,
I would expect it to support adjustment of even postmaster-level options
(this would mean forcing a database restart of course) --- you can
hardly say that you have a complete remote admin solution if you can't
change shared_buffers or max_connections.
regards, tom lane
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Bruce Momjian | 2005-07-30 15:14:03 | Re: Updated instrumentation patch |
| Previous Message | Bruce Momjian | 2005-07-30 14:57:15 | Re: [HACKERS] Autovacuum loose ends |