Marko Kreen <marko@l-t.ee> writes:
>> No. PGC_BACKEND settings have no permission check, because users can pass
>> them in from the client with the PGOPTIONS environment variable. The fix
>> might involve a non-trivial rearrangement of the way PGOPTIONS is
>> processed (might be impossible, because PGC_BACKEND might be useless if
>> the setting will only happen after the first table access (pg_shadow)) or
>> another context level (might be too much work for one case). At the
>> moment you might want to just cheat and fix the context at PGC_POSTMASTER
>> for this particular case.
> Do you mean following?
> if (DebugLvl >= 1);
> - SetConfigOption("log_connections", tmp, ctx, true);
> + SetConfigOption("log_connections", tmp, PGC_POSTMASTER, true);
In this particular case, there is no reason for log_connections to be
restricted that I can see --- it's a pretty harmless switch. I'd
recommend downgrading its PGC restriction level to BACKEND.
BTW, *please* remove the bogus ';' on the if() line.
> if (secure)
> - SetConfigOption("fsync", "false", ctx, true);
> + SetConfigOption("fsync", "false", PGC_POSTMASTER, true);
This seems like an appropriate fix. I would recommend doing the same
with all the option switch settings that are protected with "if
(secure)". This is not a hack: essentially it says we will treat
options passed to the postmaster with -o as postmaster-time options.
Note that the above change for log_connections is shown to be wrong
by this same logic, because -d is *not* a secure switch. If you do want
to keep log_connections protected against being set by mere users,
then the appropriate coding would be
if (DebugLvl >= 1 && secure)
SetConfigOption("log_connections", tmp, PGC_POSTMASTER, true);
if (DebugLvl >= 2)
SetConfigOption("debug_print_query", tmp, ctx, true);
... etc ...
but again, I don't see a rationale for this restriction.
regards, tom lane
