On Mon, May 24, 2004 at 11:23:09AM -0700, Joe Conway wrote:
> Tom Lane wrote:
> >Christopher Kings-Lynne <chriskl@familyhealth.com.au> writes:
> >>Hmmm - I agree it's difficult, but somehow I think it's something we
> >>should do. Just imagine if some major user of postgres did it - they'd
> >>be screaming blue murder...
> >
> >Shrug. Superusers can *always* shoot themselves in the foot in Postgres.
> >Try "delete from pg_proc", for instance. This sounds right up there
> >with the notion of preventing a Unix superuser from doing "rm -rf /".
>
> FWIW, I've seen a unix superuser do a recursive chmod 777 on /, and I've
> seen a Windows server admin recursively deny EVERYTHING from EVERYBODY
> starting at c:\. In both cases, we found that's why we keep regular
> backups ;-)
I've personally done rm -fr /, but this doesn't mean we couldn't do
better than imitate Unix permission scheme. In fact, latest efforts are
trying to get rid of a all-powerful superuser by using more granular
"capabilities".
Maybe we don't need to exclusive-lock the entire ALTER USER operation;
perhaps a lock escalation method could be used. OTOH I agree this
particular problem may not need a solution.
--
Alvaro Herrera (<alvherre[a]dcc.uchile.cl>)
"La grandeza es una experiencia transitoria. Nunca es consistente.
Depende en gran parte de la imaginación humana creadora de mitos"
(Irulan)
