On Fri, Aug 19, 2005 at 08:03:39AM -0700, Stephan Szabo wrote:
> On Fri, 19 Aug 2005, Bernard wrote:
>
> > But we can take this one step further so that we don't even need to
> > trust ourselves:
> >
> > The logical next step is that for a non-postgresql-superuser user,
> > COPY FROM files have to be world-readable and COPY TO files and
> > directories have to be world-writable. The server checks the file
> > attributes and grants copy permission depending on them. Obviously any
> > Postrgres system files must not be world-readable and world-writable.
> >
> > Problem solved. One doesn't need to be a genius to figure this out.
>
> No, it's not solved. It prevents that problem for the configuration
> files, but still gives access to other world readable files on the system
> for example /etc/passwd on many systems (yes it's not terribly interesting
> in general, but still is often not acceptable to retrieve).
>
> You'd probably want to add the ability to setup which directories that are
> allowed to be read or written to as configuration separately from unix
> file permissions.
FWIW, this is exactly what Oracle does. A DBA has to configure what
directories you can bulk copy to/from.
--
Jim C. Nasby, Sr. Engineering Consultant jnasby(at)pervasive(dot)com
Pervasive Software http://pervasive.com 512-569-9461