Peter Eisentraut <peter_e@gmx.net> writes:
> * pg_hba.conf, pg_ident.conf, secondary "password" files, SSL
> certificates, all other configuration things formerly in $PGDATA
> Default location: ${sysconfdir}
This strikes me as a fairly BAD idea because of the security
implications of keeping these things in a world-accessible directory.
I'm willing to tolerate moving postgresql.conf but I am much less
willing to move anything that contains sensitive information.
I suggest that the default location of these things continue to be
$PGDATA (which as you note will be settable from postgresql.conf).
> QUESTION: Do we want to have the -C command-line option affect these
> parameters in some way? It would seem quite sensible.
Not necessary if done as above.
> Password files containing actual passwords and the SSL files
> need to be postgres-owned 0600 (or less), which will require a chmod or
> chown call or two in most installations, but setting up secondary
> "password" files or SSL will take a few key strokes anyway. We should
> have run-time security checks that we don't use world-readable files that
> contain secrets.
While such a check is not a bad idea, it is really just locking the barn
door after the horse has been stolen. Better to set up the default
configuration to make such errors difficult to commit in the first place.
> We could have an environment variable $PGCONF that overrides the location
> of the postgresql.conf file (in some to be specified way), so those who
> don't like the new setup can set PGCONF=$PGDATA or something like that.
The postmaster -C switch seems sufficient for this; I don't see a reason
to invent an environment var too.
regards, tom lane