On Mon, Apr 10, 2017 at 10:08 PM, Stephen Frost <sfrost@snowman.net> wrote:
> Generally speaking, we should be trying to move away from superuser-only
> anything, not introducing more of it.
I totally agree, which is why I was rather surprised when you
vigorously objected to my attempts to replace the remainder of the
main tree's superuser checks that completely block execution of
certain SQL functions with privilege grants. The parameters within
which you find explicit superuser checks tolerable are extremely murky
to me.
> If the connection string can have
> sensitive data in it, ...
I would argue that a great deal of what's in a connection string could
potentially be sensitive. Do you want to disclose to unprivileged
users potentially-useful host names, IP addresses, port numbers, user
names, passwords, and/or required SSL settings? I don't think we
should assume any of that stuff to be generally OK to disclose to
non-superusers. It could be OK to disclose to everyone in some
installations, or to some people even in highly secure installations,
but the idea that there is nobody who cares about obscuring the
majority of what goes into a connection string doesn't sound right to
me.
--
Robert Haas
EnterpriseDB: http://www.enterprisedb.com
The Enterprise PostgreSQL Company