| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | Bruce Momjian <pgman(at)candle(dot)pha(dot)pa(dot)us> |
| Cc: | Andreas Pflug <pgadmin(at)pse-consulting(dot)de>, PostgreSQL Patches <pgsql-patches(at)postgresql(dot)org> |
| Subject: | Re: logfile subprocess and Fancy File Functions |
| Date: | 2004-07-23 21:48:26 |
| Message-ID: | 28435.1090619306@sss.pgh.pa.us |
| Views: | Whole Thread | Raw Message | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-patches |
Bruce Momjian <pgman(at)candle(dot)pha(dot)pa(dot)us> writes:
> Tom Lane wrote:
>> Also, while I'm aware that a superuser can persuade the backend to write
>> on anything, it doesn't follow that we should invent pg_file_write(),
>> pg_file_rename(), or pg_file_unlink().
> I think the analogy is locking one door but leaving the other door
> unlocked.
Not only that, but posting a sign out front telling which door is
unlocked.
As for the analogy to COPY, the addition of unlink/rename to a hacker's
tool set renders the situation far more dangerous than if he only has
write. Write will not allow him to hack write-protected files, but he
might be able to rename them out of the way and create new trojaned
versions...
regards, tom lane
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Bruce Momjian | 2004-07-23 21:56:08 | Re: logfile subprocess and Fancy File Functions |
| Previous Message | Stephan Szabo | 2004-07-23 21:40:38 | Re: logfile subprocess and Fancy File Functions |