| From: | "Magnus Hagander" <mha(at)sollentuna(dot)net> |
|---|---|
| To: | "Bruce Momjian" <pgman(at)candle(dot)pha(dot)pa(dot)us> |
| Cc: | "Tom Lane" <tgl(at)sss(dot)pgh(dot)pa(dot)us>, "PostgreSQL-patches" <pgsql-patches(at)postgresql(dot)org> |
| Subject: | Re: Updated instrumentation patch |
| Date: | 2005-07-30 15:29:09 |
| Message-ID: | 6BCB9D8A16AC4241919521715F4D8BCE094634@algol.sollentuna.se |
| Views: | Whole Thread | Raw Message | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-patches |
> > > Also, as I already said, marking it as PGC_POSTMASTER is
> simply not
> > > adequate security. Once we have some sort of remote
> admin feature,
> > > I would expect it to support adjustment of even postmaster-level
> > > options (this would mean forcing a database restart of
> course) ---
> > > you can hardly say that you have a complete remote admin
> solution if
> > > you can't change shared_buffers or max_connections.
> >
> > The point is you cannot *enable* it once it is *disabled*. Thus you
> > cannot *elevate* your privileges. Thus not a security issue.
>
> I think any secure solution is going to have to block all
> write access to postgresql.conf, and that includes all the
> COPY TO and all the untrusted languages.
Exactly. But we won't get that for 8.1. So for now, we block all write
access through *new* functions, per the "let's at least not add more
security holes" rule.
//Magnus
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Bruce Momjian | 2005-07-30 15:38:54 | Re: Updated instrumentation patch |
| Previous Message | Bruce Momjian | 2005-07-30 15:21:22 | Re: Updated instrumentation patch |