| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | Robert Haas <robertmhaas(at)gmail(dot)com> |
| Cc: | Stephen Frost <sfrost(at)snowman(dot)net>, Andres Freund <andres(at)anarazel(dot)de>, "pgsql-hackers(at)postgresql(dot)org" <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: pg_ls_dir & friends still have a hard-coded superuser check |
| Date: | 2017-01-27 14:42:15 |
| Message-ID: | 29699.1485528135@sss.pgh.pa.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Robert Haas <robertmhaas(at)gmail(dot)com> writes:
> The problem is if the interpretation functions aren't completely
> bulletproof, they might do things like crash the server if you use
> them to read a corrupt page. That is not any more appealing if you
> happen to be running as superuser() than otherwise.
I'm not aware that they're likely to crash the server, and if they
are, so would any regular access to the page in question. The
things we were worried about were more along the lines of unexpected
information disclosure.
This is not to say that I'm against making those functions more
bulletproof. I'm just saying that I find little point in reducing
their superuser checks if we can't get rid of the one in get_raw_page.
regards, tom lane
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Thomas Kellerer | 2017-01-27 14:52:07 | Re: GSoC 2017 |
| Previous Message | Alvaro Herrera | 2017-01-27 14:40:55 | Re: WIP: About CMake v2 |