Peter Eisentraut <peter_e@gmx.net> writes:
> So the premise is that in theory any file can live anywhere. And the
> access permissions of a file are solely controlled by its own permission
> bits and ownership, not what directory it may live in. Ultimately, the
> former way is more secure.
<<itch>> I guess my thoughts on this are colored by bad experience with
tools that are sloppy about preserving ownership/permissions on edited
files. (I can recall being burnt this way by both Emacs and HP's "SAM"
admin tool. Perhaps recent versions don't have those bugs anymore.)
I am not at all convinced that "the former way is more secure" in
reality, even if it's cleaner in theory.
Can't we do both? If the default setup is to put config files in
a Postgres-specific directory, then let's make the default arrangement
be that that directory is Postgres-owned, mode 700, *and* the config
files are Postgres-owned and mode 600. Anyone who wants to back off
from that is welcome to take responsibility for any security holes
they've created.
> 2. Make sure the user account you created in step 1 can read the
> configuration files. There are a few ways to make this happen:
> a. Make the configuration files world-readable.
I'd prefer you not recommend that at all, and certainly not as the
first alternative.
regards, tom lane