From: | Bruce Momjian <bruce(at)momjian(dot)us> |
---|---|
To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
Cc: | Mladen Gogala <gogala(dot)mladen(at)gmail(dot)com>, pgsql-general <pgsql-general(at)lists(dot)postgresql(dot)org> |
Subject: | Re: log_statement GUC parameter |
Date: | 2021-08-12 20:31:17 |
Message-ID: | 20210812203117.GB4822@momjian.us |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-general |
On Thu, Aug 12, 2021 at 04:30:12PM -0400, Tom Lane wrote:
> Mladen Gogala <gogala(dot)mladen(at)gmail(dot)com> writes:
> > Unfortunately, only a superuser can set log_statement='all'; Would it be
> > possible to execute set session log_statement='all'; as an ordinary
> > user? I am trying to execute it from login.sql, a part of login_hook
> > extension which implements on-login triggers in PostgreSQL. I will
> > create a procedure with security definer, owned by the role "postgres",
> > and grant it to public. That should do the trick. However, it would be
> > much nicer if PostgreSQL allowed me to set the parameter as a part of
> > the normal session.
>
> If an ordinary user could manipulate that parameter, he could equally
> well hide his activities from the system log. Conversely, if the
> postmaster log setup is such that not a lot of volume is expected,
> then flooding it with extra traffic could create its own set of
> problems. Thus, basically all parameters that affect what is logged
> are superuser-only, and it'd be a hard sell to weaken that. The
> SECURITY DEFINER function approach is your best bet for poking local
> exceptions into that policy.
The nice thing about SECURITY DEFINER is that the super user controls
what values it can be set to.
--
Bruce Momjian <bruce(at)momjian(dot)us> https://momjian.us
EDB https://enterprisedb.com
If only the physical world exists, free will is an illusion.
From | Date | Subject | |
---|---|---|---|
Next Message | Tom Lane | 2021-08-12 20:37:16 | Re: log_statement GUC parameter |
Previous Message | Tom Lane | 2021-08-12 20:30:12 | Re: log_statement GUC parameter |