Lamar Owen <lamar.owen@wgcr.org> writes:
>> Seems to me that someone who thinks the executables should be root-owned
>> is likely to think the same of the config files.
> Sorry to disappoint you :-).
> ...
> However, IMHO, for best security, the executables do need to be root owned.
Or at least not owned/writable by the postgres user. Sure, that seems
like a good idea for a high-security installation. But I always thought
the motivation for that rule was to prevent someone who'd gained some
control of the program (eg via a buffer-overrun exploit) from expanding
his exploit by overwriting the executables with malicious code. If the
config files can be overwritten by the postgres user, then you still
have an avenue for an attacker to expand his privileges. Example: he
can trivially become postgres superuser after altering pg_hba.conf.
regards, tom lane