| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | "Florian G(dot) Pflug" <fgp(at)phlo(dot)org> |
| Cc: | Agent M <agentm(at)themactionfaction(dot)com>, pgsql-general(at)postgresql(dot)org |
| Subject: | Re: sudo-like behavior |
| Date: | 2006-04-22 18:08:31 |
| Message-ID: | 7978.1145729311@sss.pgh.pa.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
"Florian G. Pflug" <fgp(at)phlo(dot)org> writes:
> Why don't you just use "SET SESSION AUTHORIZATION somerole", and then scan
> the to-be-executel sql scripts for any occurence of "reset session authorization",
> and ignore the script it matches.
What would probably be better is a way to do SET SESSION AUTHORIZATION
and then abandon the underlying superuser privilege, thereby absolutely
guaranteeing that the session can't do anything the selected userid
shouldn't be able to do. You'd have to start a new session for each
cronjob, but that would be a Really Good Idea anyway, given the lack of
any way to fully restore a session to default state.
regards, tom lane
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Florian G. Pflug | 2006-04-22 18:22:22 | Re: sudo-like behavior |
| Previous Message | Dave Page | 2006-04-22 18:03:18 | Re: Debian package for freeradius_postgresql module |