> > > I think any secure solution is going to have to block all write
> > > access to postgresql.conf, and that includes all the COPY
> TO and all
> > > the untrusted languages.
> >
> > Exactly. But we won't get that for 8.1. So for now, we
> block all write
> > access through *new* functions, per the "let's at least not
> add more
> > security holes" rule.
>
> As far as I know, the only new functionality the patch adds
> _over_ copy is the ability to write nulls, and rename/unlink.
> Should we just throw an error when writing null bytes?
Um. Yes. This patch goes one step further and allows you to block the
writing of *any* file using these functions. The question is wether that
one step further is far enough..
//Magnus