On Mon, Aug 27, 2007 at 08:08:34AM -0700, Joshua D. Drake wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hello,
>
> I just saw this in the weekly news:
>
> Restrict pg_relation_size to relation owner, pg_database_size to DB
> owner, and pg_tablespace_size to superusers. Perhaps we could
> weaken the first case to just require SELECT privilege, but that
> doesn't work for the other cases, so use ownership as the common
> concept.
>
> This is a problem. Our analytics software purposefully does not use a
> super user, you are going to force the use of superusers with admin and
> monitoring tools.
Well, you could always create a wrapper function that is SECURITY
DEFINER...
Honestly, I have to wonder if it'd be best to just restrict all those
functions to superuser-only. They tend to be rather slow to run since
they have to stat each file, so I'm worried about what kind of load that
would present on a loaded system.
--
Decibel!, aka Jim Nasby decibel@decibel.org
EnterpriseDB http://enterprisedb.com 512.569.9461 (cell)
