| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | Simon Riggs <simon(at)2ndquadrant(dot)com> |
| Cc: | Stephen Frost <sfrost(at)snowman(dot)net>, Robert Haas <robertmhaas(at)gmail(dot)com>, Andres Freund <andres(at)anarazel(dot)de>, "pgsql-hackers(at)postgresql(dot)org" <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: pg_ls_dir & friends still have a hard-coded superuser check |
| Date: | 2017-01-27 13:13:33 |
| Message-ID: | 13392.1485522813@sss.pgh.pa.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Simon Riggs <simon(at)2ndquadrant(dot)com> writes:
> [ good general plan ]
> 3. Make a list of all functions that would cause security problems.
> One by one, precisely. If we did remove all superuser checks we would
> need this list documented to advise people of the risks, so it must
> exist before any commit can be made, assuming we believe in
> documentation. Notice that I am after risk documentation,
Yeah, I think documentation is the crux of the issue. If there is some
non-obvious reason why letting somebody use pg_ls_dir() is more of a
security hazard than it appears on the surface, the answer is to document
that so DBAs can decide for themselves whether to take the risk.
Count me +1 for removing hard-wired superuser checks, but carefully
and with an overall plan.
regards, tom lane
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Antonin Houska | 2017-01-27 13:14:04 | Re: Performance improvement for joins where outer side is unique |
| Previous Message | Tom Lane | 2017-01-27 13:08:25 | Re: GSoC 2017 |