Thanks for your answer,
> In very many environments, 0770 protection would be a disaster. I do
> not think it is a good idea to allow that permission to be set, not
> even configurably.
The problem whether 0770 is a disaster strongly depends on the settings of the
group memberships. Group memberships are often neclected and I share to your
concerns. I also agree that /data/base and such really not the business of
anyone else, even dbadmin. And no doubts whatsoever regarding 0777.
But on the other hand, the current situation makes it really hard to establish
a role based authorization scheme implemented using group memberships. Every
service has a unique user and group and every admin belonges to all groups
which he or she should be able to configure. All services are jailed into
their repective user account with shell access.
Postgres is the only service on my machine fighting that scheme. Someone
already suggested to temporarily change the PGDATA permission during startup.
I prefer to circumvent the check by placing softlinks inside /data for all
relevant files. I count on you not adding another check for each file :-)
But perhaps I've overseen something with role based service management. If
there is a bad flaw, please tell me...
With kind regards / mit freundlichem Gruß
Holger Klawitter
--
Holger Klawitter http://www.klawitter.de
lists@klawitter.de