Re: [HACKERS] pg_ls_dir & friends still have a hard-coded superuser check
| От | Tom Lane |
|---|---|
| Тема | Re: [HACKERS] pg_ls_dir & friends still have a hard-coded superuser check |
| Дата | |
| Msg-id | 13392.1485522813@sss.pgh.pa.us обсуждение |
| Ответ на | Re: [HACKERS] pg_ls_dir & friends still have a hard-coded superuser check (Simon Riggs <simon@2ndquadrant.com>) |
| Ответы |
Re: [HACKERS] pg_ls_dir & friends still have a hard-coded superusercheck
|
| Список | pgsql-hackers |
Simon Riggs <simon@2ndquadrant.com> writes:
> [ good general plan ]
> 3. Make a list of all functions that would cause security problems.
> One by one, precisely. If we did remove all superuser checks we would
> need this list documented to advise people of the risks, so it must
> exist before any commit can be made, assuming we believe in
> documentation. Notice that I am after risk documentation,
Yeah, I think documentation is the crux of the issue. If there is some
non-obvious reason why letting somebody use pg_ls_dir() is more of a
security hazard than it appears on the surface, the answer is to document
that so DBAs can decide for themselves whether to take the risk.
Count me +1 for removing hard-wired superuser checks, but carefully
and with an overall plan.
regards, tom lane
В списке pgsql-hackers по дате отправления: