"Magnus Hagander" <mha@sollentuna.net> writes:
> For the long term I was thinking something like "restrict_superuser",
> which would disable both read and write, and COPY, and untrusted PL
> creation, etc, etc. But that's not for 8.1.
That's exactly what I'm talking about.
>> Also, as I already said, marking it as PGC_POSTMASTER is
>> simply not adequate security. Once we have some sort of
>> remote admin feature, I would expect it to support adjustment
>> of even postmaster-level options (this would mean forcing a
>> database restart of course) --- you can hardly say that you
>> have a complete remote admin solution if you can't change
>> shared_buffers or max_connections.
> The point is you cannot *enable* it once it is *disabled*. Thus you
> cannot *elevate* your privileges. Thus not a security issue.
It will be as soon as we have remote admin.
> Once we have a "real remote admin API", it becomes an argument, and it
> will have to be adjusted. But we don't have that today, and I see no
> need to create a new guc category just for this. After all, some of
> these functions will probably go away completely once we have such an
> API.
None of these functions are getting into 8.1 anyway; we should be
designing the long-term solution not making up short-lived hacks.
regards, tom lane