On Sat, 2005-01-08 at 12:44 -0500, Tom Lane wrote:
> I notice that several uses of getuid() have snuck into the code, mostly
> in relatively-recently-added SSL code. I assert that these all are
> wrong and should be checking geteuid(). Is anyone going to complain
> that we need an RC5 to change this?
No, but increased security is only possible via increased transparency.
We should explain clearly any such change made in the name of security,
then document it in Developer's FAQ to make sure such problems do not
recur.
--
Best Regards, Simon Riggs
