| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | Alvaro Herrera <alvherre(at)alvh(dot)no-ip(dot)org> |
| Cc: | Gabriele Bartolini <gabriele(dot)bartolini(at)enterprisedb(dot)com>, Isaac Morland <isaac(dot)morland(at)gmail(dot)com>, pgsql-hackers(at)postgresql(dot)org |
| Subject: | Re: Possibility to disable `ALTER SYSTEM` |
| Date: | 2023-09-08 15:31:22 |
| Message-ID: | 1882832.1694187082@sss.pgh.pa.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Alvaro Herrera <alvherre(at)alvh(dot)no-ip(dot)org> writes:
> I don't understand Tom's resistance to this request.
It's false security. If you think you are going to prevent a superuser
from messing with the system's configuration, you are going to need a
lot more restrictions than this, and we'll be forever getting security
reports that "hey, I found another way for a superuser to get filesystem
access". I think the correct answer to this class of problems is "don't
give superuser privileges to clients running inside the container".
> I did not like the mention of COPY PROGRAM, though, and in principle I
> do not support the idea of treating it the same way as ALTER SYSTEM.
It's one of the easiest ways to modify postgresql.conf from SQL. If you
don't block that off, the feature is certainly not secure. (But of
course, there are more ways.)
regards, tom lane
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Tom Lane | 2023-09-08 16:08:19 | Re: BUG #18097: Immutable expression not allowed in generated at |
| Previous Message | James Keener | 2023-09-08 15:22:07 | Re: BUG #18097: Immutable expression not allowed in generated at |