>>> I think the only thing you could do would be to specify that the user
>>> and only the user have full control over the file. *Any* other ACL
>>> entries, deny or allow, are not allowed. Access via a group is not allowed.
>> That will break every default install in the world. They will all
>> contain at least ACLs for Administrators and SYSTEM. If they're in a
>> domain, also the admins from the domain. Not sure about power users. And
>> in a domain, it's not uncommon at all to push down a group of people in
>> IT who have access to users profiles to fix things. Etc.
>
> Yes - and not knowing who is/should be in the default ACL is exactly the
> problem.
>
> The only thing that will *break* though is libpq which would do the same
> thing as it would on *nix if the mode was 0622 or whatever. It's not
> going to break Windows or the users profile if the ACL on their pgpass
> file is tightened up.
It would break insofar that it wouldn't work. the pgpass file. It will
of course not break *windows*, but people will consider PostgreSQL broken.
>>> Now the next problem is how this should be set on Home Editions which do
>>> their best to hide ACLs from the user. I suppose we could just document
>>> the correct cacls command line to get exactly the acl we want.
>> I seriously don't think that will ever work, if we're broken on the
>> *default install*. If we're fine on default, and someone has changed it,
>> then they can likely fix it if they have the instructions. But if we
>> break the default install, we're out.
>
> huh?
If we don't work with a default install, people will not use it. We get
enough complaints of the run-as-admin stuff, and that only breaks if the
user has changed things away from the default.
//Magnus