Andrew Dunstan <andrew@dunslane.net> writes:
> How about if we do something like this?:
> . initdb creates a tmpdir inside the datadir
> . a new GUC var called allowed_copy_locations which is a PATH type
> string specifying what directories we can copy to/from. This would by
> default be "$tmpdir"
Given that COPY to/from a file is already allowed only to superusers,
I'm not sure how effective a GUC variable will be in constraining what
they do with it. We'd have to at least restrict it to SIGHUP, which'd
mean you couldn't change it without the ability to write the config
file.
Also I'm not sure how useful it is to read and write inside the data
directory, which is an area one hopes is not accessible to most people,
even if they have superuser privs.
If we went down this path at all, I'd be inclined to just deprecate
and eventually remove server-side COPY altogether. Not sure about
the performance costs of that, though.
regards, tom lane