Magnus Hagander wrote:
> > > Per recent discussion, here is yet another updated version of the
> > > instrumentation patch. Changes:
> >
> > > * Added guc option "disable_remote_admin", that disables any write
> > > operations (write, unlink, rename) even for the superuser. Set as
> > > PGC_POSTMASTER so it cannot be changed remotely.
> >
> > I was envisioning it as disabling all filesystem access ---
> > read as well as write. Essentially the abstract concept I
> > want is that with this on, even a superuser cannot use
> > Postgres to get at the underlying operating system. A name
> > like "enable_filesystem_access" would probably be more appropriate.
>
> Um. I thought the entire argument was about *writing* files. But it
> should be easy enough to stick requireRemoteAdmin() to all the
> functions.
>
> For the long term I was thinking something like "restrict_superuser",
> which would disable both read and write, and COPY, and untrusted PL
> creation, etc, etc. But that's not for 8.1.
>
> > Also, as I already said, marking it as PGC_POSTMASTER is
> > simply not adequate security. Once we have some sort of
> > remote admin feature, I would expect it to support adjustment
> > of even postmaster-level options (this would mean forcing a
> > database restart of course) --- you can hardly say that you
> > have a complete remote admin solution if you can't change
> > shared_buffers or max_connections.
>
> The point is you cannot *enable* it once it is *disabled*. Thus you
> cannot *elevate* your privileges. Thus not a security issue.
I think any secure solution is going to have to block all write access
to postgresql.conf, and that includes all the COPY TO and all the
untrusted languages.
--
Bruce Momjian | http://candle.pha.pa.us
pgman@candle.pha.pa.us | (610) 359-1001
+ If your life is a hard drive, | 13 Roberts Road
+ Christ can be your backup. | Newtown Square, Pennsylvania 19073