On Mon, Apr 23, 2001 at 10:50:42PM -0400, Tom Lane wrote:
> Basically, if we do this then we are abandoning the notion that Postgres
> runs as an unprivileged user. I think that's a BAD idea, especially in
> an environment that's open enough that you might feel the need to
> load-throttle your users. By definition you do not trust them, eh?
No. It's not a case of trust, but of providing an adaptive way
to keep performance reasonable. The users may have no independent
way to cooperate to limit load, but the DB can provide that.
> A less dangerous way of approaching it might be to have an option
> whereby the postmaster invokes 'uptime' via system() every so often
> (maybe once a minute?) and throttles on the basis of the results.
> The reaction time would be poorer, but security would be a whole lot
> better.
Yes, this alternative looks much better to me. On Linux you have
the much more efficient alternative, /proc/loadavg. (I wouldn't
use system(), though.)
Nathan Myers
ncm@zembu.com
