Simon Riggs <simon@2ndquadrant.com> writes:
> [ good general plan ]
> 3. Make a list of all functions that would cause security problems.
> One by one, precisely. If we did remove all superuser checks we would
> need this list documented to advise people of the risks, so it must
> exist before any commit can be made, assuming we believe in
> documentation. Notice that I am after risk documentation,
Yeah, I think documentation is the crux of the issue. If there is some
non-obvious reason why letting somebody use pg_ls_dir() is more of a
security hazard than it appears on the surface, the answer is to document
that so DBAs can decide for themselves whether to take the risk.
Count me +1 for removing hard-wired superuser checks, but carefully
and with an overall plan.
regards, tom lane