> > How is this different from the fact that the superuser can
> already use
> > COPY to accomplish the same thing?
>
> COPY can accomplish a few of the same things, much less
> conveniently (for instance, it's darn hard to write an
> arbitrary binary file through COPY).
Right. But the *security* problem is more or less equal. If somebody
hacks your superuser account, they can make at least almost the same
amount of damage. It may take a little more work, but if you just want
to kill the system by overwriting files, or overwriting say the password
file, it's just as easy. And if what you want to do is stick some kind
of executable o nthe system, you can just wrap it in a shellscript that
will unpack it.
> If COPY provided all the same functionality, then Andreas
> would just use that and not be so worried about having this
> patch. QED.
Oh, Andreas could edit postgresql.conf and whatever using COPY, no
doubt. And he could read the logfiles that way. But it would be very
hackish. From what I see this is just providing a different interface to
similar functionality.
But the point I'm trying to make is that the *security implications* are
more or less the same, just with a thin layer of
security-through-obscurity over one of them.
Bottom line: If somebody hacks your superuser, you've lost your
database. If your database service user has write access to sensitive
areas, or if you later log in as root (or whatever) and execute any
files that the database service user has write access to, you've lost
your box. This holds true with or without the patch.
//Magnus
