On Mon, 2005-08-29 at 18:59, Tom Lane wrote:
> Greg Stark <gsstark@mit.edu> writes:
> > I was only suggesting using this from a local unix user where you can
> > actually authoritatively say something about the uid of the connecting
> > user. I suggested that if the owner of the file matches the uid of the
> > connecting user (which you can get on a unix domain socket)
>
> ... on some platforms ... and half the world connects over TCP even on
> local connections ...
>
> > then there's no reason not to grant access to the file.
>
> Assuming that the server itself can get at the file, which is
> questionable if the file is owned by the connecting user rather than the
> server (and, for instance, may be located under a not-world-readable
> home directory). And then there are interesting questions like whether
> the server and the user see eye-to-eye on the name of the file (consider
> server inside chroot jail, AFS file systems, etc).
>
> There are enough holes in this to make it less than attractive. We'd
> spend more time answering questions about "why doesn't this work" than
> we do now, and I remain unconvinced that there would be no exploitable
> security holes.
Plus, how is the server supposed to KNOW that you have access to the
file? psql may know who you are, but the server only knows who you are
in the "postgresql" sense, not the OS sense.