| From: | Michael Paquier <michael(at)paquier(dot)xyz> |
|---|---|
| To: | Kyotaro Horiguchi <horikyota(dot)ntt(at)gmail(dot)com> |
| Cc: | masao(dot)fujii(at)gmail(dot)com, amitlangote09(at)gmail(dot)com, tsukiwamoon(dot)pgsql(at)gmail(dot)com, pgsql-hackers(at)lists(dot)postgresql(dot)org, Peter Eisentraut <peter(dot)eisentraut(at)2ndquadrant(dot)com> |
| Subject: | Re: Exposure related to GUC value of ssl_passphrase_command |
| Date: | 2020-02-13 03:38:34 |
| Message-ID: | 20200213033834.GC1520@paquier.xyz |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Thu, Feb 13, 2020 at 11:28:05AM +0900, Kyotaro Horiguchi wrote:
> I think it is reasonable.
Indeed, that makes sense to me as well. I am adding Peter Eisentraut
in CC as the author/committer of 8a3d942 to comment on that.
> By the way, I'm not sure the criteria of setting a GUC variable as
> GUC_SUPERUSER_ONLY, but for example, ssl_max/min_protocol_version,
> dynamic_library_path, log_directory, krb_server_keyfile,
> data_directory and config_file are GUC_SUPERUSER_ONLY. So, it seems to
> me very strange that ssl_*_file are not. Don't we need to mark them
> maybe and some of the other ssl_* as the same?
This should be a separate discussion IMO. Perhaps there is a point in
softening or hardening some of them.
--
Michael
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Michael Paquier | 2020-02-13 03:40:59 | Re: Unicode normalization SQL functions |
| Previous Message | Michael Paquier | 2020-02-13 03:28:04 | Re: Wait event that should be reported while waiting for WAL archiving to finish |