Alvaro Herrera <alvherre@2ndquadrant.com> writes:
> Jeff Janes escribi�:
>> With the stats file split patch 187492b6c2e8cafc5 introduced in 9.3dev, now
>> after a crash the postmaster will try to delete all files in the directory
>> stats_temp_directory. When that is just a subdirectory of PGDATA, this is
>> fine. But it seems rather hostile when it is set to a shared directory,
>> like the popular /dev/shm.
>> Does this need to be fixed, or at least documented?
> I think we need it fixed so that it only deletes the files matching a
> well-known pattern.
I think we need it fixed to reject any stats_temp_directory that is not
postgres-owned with restrictive permissions. The problem here is not
with what it deletes, it's with the insanely insecure configuration.
regards, tom lane