Andres Freund <andres@anarazel.de> writes:
> On 2012-12-05 16:20:41 -0500, Tom Lane wrote:
>> GUC or no GUC, it'd still be letting an unprivileged network-exposed
>> application (PG) do something that's against any sane system-level
>> security policy. Lipstick is not gonna help this pig.
> What about the non-writable per cluster directory? Thats something I've
> actively wished for in the past when developing a C module thats also
> used in other clusters.
I see no security objection to either per-cluster or per-database
script+control-file directories, as long as they can only contain
SQL scripts and not executable files.
If we allow such things to be installed by less-than-superusers,
we'll have to think carefully about what privileges are given
when running the script. I forget at the moment how much of that
we already worked out back in the 9.1 era; I remember it was discussed
but not whether we had a bulletproof solution.
regards, tom lane