Magnus Hagander wrote:
>
> > > > Also, as I already said, marking it as PGC_POSTMASTER is
> > simply not
> > > > adequate security. Once we have some sort of remote
> > admin feature,
> > > > I would expect it to support adjustment of even postmaster-level
> > > > options (this would mean forcing a database restart of
> > course) ---
> > > > you can hardly say that you have a complete remote admin
> > solution if
> > > > you can't change shared_buffers or max_connections.
> > >
> > > The point is you cannot *enable* it once it is *disabled*. Thus you
> > > cannot *elevate* your privileges. Thus not a security issue.
> >
> > I think any secure solution is going to have to block all
> > write access to postgresql.conf, and that includes all the
> > COPY TO and all the untrusted languages.
>
> Exactly. But we won't get that for 8.1. So for now, we block all write
> access through *new* functions, per the "let's at least not add more
> security holes" rule.
As far as I know, the only new functionality the patch adds _over_ copy
is the ability to write nulls, and rename/unlink. Should we just throw
an error when writing null bytes?
--
Bruce Momjian | http://candle.pha.pa.us
pgman@candle.pha.pa.us | (610) 359-1001
+ If your life is a hard drive, | 13 Roberts Road
+ Christ can be your backup. | Newtown Square, Pennsylvania 19073