Alvaro Herrera <alvherre@alvh.no-ip.org> writes:
> I don't understand Tom's resistance to this request.
It's false security. If you think you are going to prevent a superuser
from messing with the system's configuration, you are going to need a
lot more restrictions than this, and we'll be forever getting security
reports that "hey, I found another way for a superuser to get filesystem
access". I think the correct answer to this class of problems is "don't
give superuser privileges to clients running inside the container".
> I did not like the mention of COPY PROGRAM, though, and in principle I
> do not support the idea of treating it the same way as ALTER SYSTEM.
It's one of the easiest ways to modify postgresql.conf from SQL. If you
don't block that off, the feature is certainly not secure. (But of
course, there are more ways.)
regards, tom lane
