| From: | Douglas McNaught <doug(at)mcnaught(dot)org> |
|---|---|
| To: | Greg Stark <gsstark(at)mit(dot)edu> |
| Cc: | emilu(at)cs(dot)concordia(dot)ca, pgsql-general(at)postgresql(dot)org |
| Subject: | Re: About "ERROR: must be *superuser* to COPY to or from a file" |
| Date: | 2005-08-26 22:24:08 |
| Message-ID: | m2k6i8nxpz.fsf@Douglas-McNaughts-Powerbook.local |
| Views: | Whole Thread | Raw Message | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
Greg Stark <gsstark(at)mit(dot)edu> writes:
> Douglas McNaught <doug(at)mcnaught(dot)org> writes:
>
>> You can use \copy in 'psql' on the client side, but you have to be a
>> superuser to do COPY on the server side, for security reasons.
>
> I wonder if there's any way to relax this constraint.
>
> If you're connected via a unix domain socket we can know the UID of the client
> end. I don't see reproducing the entire unix semantics but if file is owned by
> the same uid as the user connecting it seems like it ought to be safe.
That's an interesting point. You'd have to make sure you weren't
following a user-owned symlink to a 'postgres'-owned file, but that's
doable.
Of course that method only applies to a subset of PG users, and
completely excludes the Windows side. It might also conflict with
security policies that forbid PG from reading and writing outside its
own data directory.
-Doug
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Michael Fuhr | 2005-08-26 22:33:36 | Re: PQConnectdb SSL (sslmode): Is this a bug |
| Previous Message | Greg Stark | 2005-08-26 22:04:52 | Re: About "ERROR: must be *superuser* to COPY to or from a file" |