Tom Lane wrote:
> "Magnus Hagander" <mha@sollentuna.net> writes:
> > Per recent discussion, here is yet another updated version of the
> > instrumentation patch. Changes:
>
> > * Added guc option "disable_remote_admin", that disables any write
> > operations (write, unlink, rename) even for the superuser. Set as
> > PGC_POSTMASTER so it cannot be changed remotely.
>
> I was envisioning it as disabling all filesystem access --- read as well
> as write. Essentially the abstract concept I want is that with this on,
> even a superuser cannot use Postgres to get at the underlying operating
> system. A name like "enable_filesystem_access" would probably be more
> appropriate.
>
> Also, as I already said, marking it as PGC_POSTMASTER is simply not
> adequate security. Once we have some sort of remote admin feature,
> I would expect it to support adjustment of even postmaster-level options
> (this would mean forcing a database restart of course) --- you can
> hardly say that you have a complete remote admin solution if you can't
> change shared_buffers or max_connections.
How does this affect COPY? Is it not important because COPY can not
write a null byte?
--
Bruce Momjian | http://candle.pha.pa.us
pgman@candle.pha.pa.us | (610) 359-1001
+ If your life is a hard drive, | 13 Roberts Road
+ Christ can be your backup. | Newtown Square, Pennsylvania 19073
