On Mon, 2009-01-26 at 22:55 -0500, Tom Lane wrote:
> Even accepting such a restriction, there's too much code in
> core Postgres to let anyone feel very good about keeping the core free
> of security leaks
I see what you're saying, but we're trying to pass certification, not
provide security in all cases.
The security policy & its implementation is part of the wall, so its
straightforward to say "don't do those things". Since both backups and
plugins are not typically managed by unprivileged users, that seems
reasonable. (And anyway, they should be using PITR :-).
I'd rather see it go in now. It needs to be audited, and it might fail.
If we put it in 8.5 and it still fails, we'll be in 8.6, which is far,
far away and we shouldn't expect NEC to fund such a long range mission.
-- Simon Riggs www.2ndQuadrant.comPostgreSQL Training, Services and Support