On Fri, Jul 1, 2022 at 5:15 AM Hannu Krosing <hannuk@google.com> wrote:
> This is the eternal problem with security - more security always
> includes more inconvenience.
But the same amount of security can be more or less inconvenient, and
I don't think your proposal does very well there. More inconvenience
doesn't mean more security.
I actually think this whole line of attack is probably a dead end. My
preferred approach is to find ways of delegating a larger subset of
superuser privileges to non-superusers, or to prevent people from
assuming the superuser role in the first place. Trying to restrict
what superusers can do seems like a much more difficult path, and I
think it might be a dead end. But if such an approach has any hope of
success, I think it's going to have to try to create a situation where
most of the administration that you need to do can be done most of the
time with some sort of restricted superuser privileges, and only in
extreme scenarios do you need to change the cluster state to allow
full superuser access. There's no such nuance in your proposal. It's
just a great big switch that makes superuser mean either nothing, or
all the things it means today. I don't think that's really a
meaningful step forward.
--
Robert Haas
EDB: http://www.enterprisedb.com