On Thursday, April 05, 2012 06:12:48 PM Tom Lane wrote:
> Andres Freund <andres@anarazel.de> writes:
> > On Thursday, April 05, 2012 05:39:19 PM Tom Lane wrote:
> >> Yeah, that would be a small pain in the neck, but it eliminates a huge
> >> pile of practical difficulties, like your blithe assumption that you can
> >> find a "private directory" somewhere (wrong) or disallow access to other
> >> people (also wrong, if they are using the same account as you).
> >
> > I don't think this needs to protect against malicious intent of a user
> > running with the *same* privileges as the postmaster.
>
> Who said anything about malicious intent? Please re-read the original
> gripe in this thread. There's nothing un-legitimate about, eg, clients
> trying to connect to the database during your maintenance window.
Yes, there is not. But those clients won't connect to a socket in some
directory thats created extra for this purpose which they don't even know the
name of. Scanning the directory tree for that would require malicious intent.
> What we want is to be sure that nobody can connect to the database
> except the person running the standalone instance. To my mind "sure"
> means "sure"; it does not include qualifiers like "unless some
> other process tries to do the same thing at about the same time".
Its not like creating a file/directory/pipename with a random name and
retrying if it already exists is an especially hard thing. That does make
*sure* it does not happen by accident. Beside the fact that single run backend
should already make sure were not running concurrently. So even a *fixed*
atomically created filename name should be enough if its not the regular name
and in a place thats not accessible from the outside.
Anyway, I don't think those reasons are sensible, but I don't care enough to
argue further.
Andres
