| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | "Magnus Hagander" <mha(at)sollentuna(dot)net> |
| Cc: | "PostgreSQL-patches" <pgsql-patches(at)postgresql(dot)org> |
| Subject: | Re: Updated instrumentation patch |
| Date: | 2005-07-30 15:58:15 |
| Message-ID: | 27184.1122739095@sss.pgh.pa.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-patches |
"Magnus Hagander" <mha(at)sollentuna(dot)net> writes:
> For the long term I was thinking something like "restrict_superuser",
> which would disable both read and write, and COPY, and untrusted PL
> creation, etc, etc. But that's not for 8.1.
That's exactly what I'm talking about.
>> Also, as I already said, marking it as PGC_POSTMASTER is
>> simply not adequate security. Once we have some sort of
>> remote admin feature, I would expect it to support adjustment
>> of even postmaster-level options (this would mean forcing a
>> database restart of course) --- you can hardly say that you
>> have a complete remote admin solution if you can't change
>> shared_buffers or max_connections.
> The point is you cannot *enable* it once it is *disabled*. Thus you
> cannot *elevate* your privileges. Thus not a security issue.
It will be as soon as we have remote admin.
> Once we have a "real remote admin API", it becomes an argument, and it
> will have to be adjusted. But we don't have that today, and I see no
> need to create a new guc category just for this. After all, some of
> these functions will probably go away completely once we have such an
> API.
None of these functions are getting into 8.1 anyway; we should be
designing the long-term solution not making up short-lived hacks.
regards, tom lane
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Alvaro Herrera | 2005-07-30 16:06:11 | Re: P.tch to mention cost-based delay in vacuum reference |
| Previous Message | Bruce Momjian | 2005-07-30 15:58:06 | Re: Updated instrumentation patch |