Pursuant to prior discussion, I have added a flag to guc.c that marks
certain GUC variables as not to be shown to non-superusers. For the
moment it's just set on variables related to the server's filesystem
layout, such as the recently added data_directory and config_file
variables. But now that we have it, I am wondering if it shouldn't
be set on other potentially security-related variables. For instance,
knowing exactly what logging the DBA is doing or not doing might be of
assistance to a blackhat user. On the other hand, it's a bit pointless
to block viewing of any USERLIMIT variables, since the user can discover
by experimentation what their settings are; and most of the
logging-level variables are USERLIMIT. (Maybe that whole concept is a
bad idea and should be rethought. Why exactly should a non-privileged
user be able to adjust logging level either up or down? Cranking it out
to the max could be seen as a crude form of DOS attack...)
Right now what I have marked are
config_filedata_directorydynamic_library_pathexternal_pid_filehba_fileident_filekrb_server_keyfilelog_directorylog_filenamepreload_librariesunix_socket_directory
I am strongly tempted to mark "archive_command" as well. Unless we want
to revisit the USERLIMIT idea, there's not anything else I see that
looks worth marking.
Comments, opinions?
regards, tom lane
