--On 13. November 2009 19:08:22 -0500 Tom Lane <tgl@sss.pgh.pa.us> wrote:
> It looks to me like the code in AlterSetting() will allow an ordinary
> user to blow away all settings for himself. Even those that are for
> SUSET variables and were presumably set for him by a superuser. Isn't
> this a security hole? I would expect that an unprivileged user should
> not be able to change such settings, not even to the extent of
> reverting to the installation-wide default.
I agree. A quick check shows that resetting or changing a single parameter
is not allowed, so this seems inconsistent anyways. Maybe AlterSetting()
should be more strict and pick only those settings, which are safe for
ordinary users to reset?
--
Thanks
Bernd
