Gevik Babakhani wrote:
>> Removing or disabling the test without removing some of the dangerous
>> capabilities would be a major security hole. For example: postgres can
>> deliver to any authenticated user the contents of any text file on the
>> system that the database user can read. Do you want the responsibility
>> of allowing that for any file the administrator can read? No, I thought
>> not. Neither do we.
>>
>
> True. This means that one just cannot "copy over" PG files and run the
> database without creating additional users and services.
>
> Just looking at how much windows standalone apps are being developed
> which potentially could use an "embedded" or "light" version of PG, I
> still think the option should be considered. Perhaps in a more
> restricted or striped-down version of PG. (PG Light or something).
>
>
>
You need to start with a security audit to work out which capabilities
need to be disabled. COPY to and from files would be one obvious area,
loading user modules might be another. The point is that we have chosen
to avoid a large set of problems by forbidding running with elevated
privileges, and if you want to relax that you need to identify the
members of that set of problems, in some fairly formal way.
Frankly, if I were creating an app that needed an embedded db, I would
probably not start with postgres. Sqlite was created just for this
purpose. Ideally, for an embedded db you want to avoid the need for a
server at all, if possible. That's never going to happen with postgres.
cheers
andrew