Andrew Dunstan <andrew@dunslane.net> writes:
> Tom Lane wrote:
>> Being able to edit postgresql.conf gives one the ability to become
>> postgres (hint: you can cause the backend to load a shlib of your
>> choosing, or even more trivially, adjust pg_hba.conf to let you in
>> as superuser), so the above distinction is unenforceable.
> And can't we now even point to a completely different location for the
> actual data, as well as the rest of the config? I'd hate to think of
> someone changing that out from under me.
Well, that's an interesting point. As of CVS tip it is possible to keep
the config files somewhere else than the data directory, and there is no
permissions enforcement at all on the config files or their containing
directory when you do that. I'm not sure this is a good idea, but it
does mean that Joshua can do what he wants to (and be just as insecure
as he wants to).
Should we try to enforce any permissions restrictions on the config
files when they are stored elsewhere? If so, what? One obvious point
is that the files and parent dir could quite legitimately be root-owned,
so we cannot simply require 700-or-less permission as we did before.
regards, tom lane
