From: | Joe Conway <mail(at)joeconway(dot)com> |
---|---|
To: | Robert Haas <robertmhaas(at)gmail(dot)com>, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
Cc: | Simon Riggs <simon(at)2ndquadrant(dot)com>, PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org> |
Subject: | Re: ALTER SYSTEM for pg_hba.conf |
Date: | 2017-01-05 18:12:19 |
Message-ID: | cbe0039c-8783-0f44-4720-e558852652be@joeconway.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
On 01/05/2017 08:27 AM, Robert Haas wrote:
> There's also the question of whether opening up the ability to do
> this sort of thing from the SQL level is a security hazard,
It unquestionably is.
> but we've already gone fairly far down the path of assuming that
> there's not a tremendous amount of privilege separation between the
> operating system user account and the database superuser,
I think this is a very bad assumption.
> so maybe the answer is that as things stand it's not expanding the
> vulnerability surface very much.
Perhaps as things currently stand this is true.
> One thing I'm kind of happy about is that, as far as I can see, there
> hasn't been much backlash against the existing ALTER SYSTEM, either
> from a security point of view or a user-confusion point of view.
Possibly only because there are workarounds possible using hooks and
extension code. Personally I think we should have an official way to
disable ALTER SYSTEM and I would like the same for pg_hba.conf related
functionality.
Joe
--
Crunchy Data - http://crunchydata.com
PostgreSQL Support for Secure Enterprises
Consulting, Training, & Open Source Development
From | Date | Subject | |
---|---|---|---|
Next Message | Tom Lane | 2017-01-05 18:15:39 | Re: [COMMITTERS] pgsql: Fix possible crash reading pg_stat_activity. |
Previous Message | Robert Haas | 2017-01-05 18:09:32 | Re: [COMMITTERS] pgsql: Fix possible crash reading pg_stat_activity. |