Stephen Amadei <amadei@dandy.net> writes:
> However, if someone was to know that Postgres needs a /bin/rm, an exploit
> could be created that runs /bin/rm instead of /bin/sh and trashes the
> databases postgres owns. Of course, this is a big IF. ;-)
The attacker won't be able to do any of this unless he's already managed
to connect to the database, no? There are much easier ways to zap your
data at the SQL level. Sorry but I'm having a hard time getting excited
about this proposition...
regards, tom lane