| From: | Dave Page <dpage(at)pgadmin(dot)org> |
|---|---|
| To: | Magnus Hagander <magnus(at)hagander(dot)net> |
| Cc: | Simon Riggs <simon(at)2ndquadrant(dot)com>, PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: Streaming replication as a separate permissions |
| Date: | 2010-12-27 09:52:57 |
| Message-ID: | AANLkTimUPXWfwgB0NZ_nmFmUSfSTrvWQVKXeK-kaZBVo@mail.gmail.com |
| Views: | Whole Thread | Raw Message | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Mon, Dec 27, 2010 at 9:36 AM, Magnus Hagander <magnus(at)hagander(dot)net> wrote:
> Seeing logged SQL isn't - but being able to filter the logfiles on
> that requires a *lot* more than just defining a security privilege. If
> we mean "arbitrary log file reading", the easiest way to fix that
> would be to stop checking for superuser permissions in the
> read-file-function, and instead use the permissions *on the function*
> to control it. In fact, that is something that we could (should?) do
> for a bunch of other functions as well, so that we can in that way
> provide much more granular permissions level than just blanked
> assigning of privileges.
That would require having users change the permissions on system
objects, which seems, icky (would they even be dumped?). Given that
the superuser could already create a security definer wrapper function
with the privileges required, I don't think this is needed.
--
Dave Page
Blog: http://pgsnake.blogspot.com
Twitter: @pgsnake
EnterpriseDB UK: http://www.enterprisedb.com
The Enterprise PostgreSQL Company
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Magnus Hagander | 2010-12-27 09:53:22 | Re: Streaming replication as a separate permissions |
| Previous Message | Magnus Hagander | 2010-12-27 09:36:28 | Re: Streaming replication as a separate permissions |