Tom Lane <tgl@sss.pgh.pa.us> wrote:
> So at this point we've decided that we must forbid access to symlinked or
> hardlinked files, which is a significant usability penalty; we've also
> chosen to blow off most older platforms entirely; and we've only spent
> about five minutes actually looking for security issues, with no good
> reason to assume there are no more.
What's interesting and disappointing here is that not one of these
suggested vulnerabilities seems like a possibility on a database
server managed in what I would consider a sane and secure manner[1].
This feature is valuable because it is an alternative to allowing a
user you don't trust *either* an OS login to the database server
*or* a superuser database login. Can anyone suggest an exploit
which would be available if we allowed someone who has permission
to view all data in the database read permission to the pg_log
directory and the files contained therein, assuming they do *not*
have an OS login to the database server?
--
Kevin Grittner
EDB: http://www.enterprisedb.com
The Enterprise PostgreSQL Company