Re: Remote administration functionality

On Sat, Jul 30, 2005 at 11:39:20PM -0400, Bruce Momjian wrote:
> Let me try to outline where I think our goals are for remote
> administration. I will not comment on Dave's analysis of the patch
> review process, but I think he has some valid points that this patch was
> not treated properly.
>
> Basically, I think everyone wants remote administration. Remote
> administration requires several things:
>
> o edit postgresql.conf
> o edit pg_hba.conf
> o reload the config files
> o restart the server (for config variables requiring restart)
> o view log files
> o recycle log files
> o rename/remove log files
>
> All these items are on the TODO list already.

My security spider-sense tingles when I see the ability for a remote
attacker to not only completely override password, certificate and IP
absed authentication but also to easily remove logfiles.

So, while I can see the attraction of being able to futz with the
database security configuration through a PHP web interface running on
an unpatched Apache build somewhere out on the open internet (and
would like to be able to do so myself, sometimes) I'd really, really
like to see the ability to disable as much of this at compile time as
is convenient.

Cheers,
Steve