Andrew Dunstan <andrew@dunslane.net> writes:
> I still think, security considerations aside, that an API for config
> settings would be a much better piece of design than providing file
> system access functions.
I agree with that. Given what we currently have, though, remote config
and remote log examination do require filesystem access. But IMHO
there's no very good reason why admin actions requiring filesystem
access shouldn't be programmed in an untrusted PL, rather than through
separate file-access functions. Andreas argued that he didn't want to
make pgAdmin functionality dependent on the availability of an untrusted
PL, but I think that argument is bogus. If the admin doesn't want to
install an untrusted PL for pgAdmin to use, why in the world would he
be happy with equivalent functionality being installed in such a way
that he can't get rid of it?
regards, tom lane
