Tom Lane wrote:
> Alvaro Herrera <alvherre@commandprompt.com> writes:
> > Tom Lane wrote:
> >> It looks to me like the code in AlterSetting() will allow an ordinary
> >> user to blow away all settings for himself. Even those that are for
> >> SUSET variables and were presumably set for him by a superuser. Isn't
> >> this a security hole? I would expect that an unprivileged user should
> >> not be able to change such settings, not even to the extent of
> >> reverting to the installation-wide default.
>
> > Yes, it is, but this is not a new hole. This works just fine in 8.4
> > too:
>
> So I'd argue for changing it in 8.4 too.
Understood. I'm starting to look at what this requires.
--
Alvaro Herrera http://www.CommandPrompt.com/
The PostgreSQL Company - Command Prompt, Inc.