Lamar Owen <lamar.owen@wgcr.org> writes:
>> Ah. See, we already have a failure in a security analysis here. This
>> command:
>> CREATE DATABASE foo WITH LOCATION = 'BAR'
>> uses a string that's in the environment.
> And requires you to be a database superuser anyway.
CREATE DATABASE does not require superuser privs, only createdb
which is not usually considered particular dangerous.
Whether you think that there is a potentially-exploitable security hole
here is not really the issue. The point is that two different arguments
have been advanced against using environment variables for configuration
(if you weren't counting, (1) possible security issues now or in the
future and (2) lack of consistency between manual and boot-script
startup), while zero (as in 0, nil, nada) arguments have been advanced
in favor of using environment variables instead of configuration files.
I do not see why we are debating the negative when there is absolutely
no case on the positive side.
regards, tom lane