Re: logfile subprocess and Fancy File Functions

Tom Lane wrote:
> Bruce Momjian <pgman@candle.pha.pa.us> writes:
> > Tom Lane wrote:
> >> I'm pretty much against allowing configuration editing from remote
> >> altogether.
>
> > Why can't they just use COPY to replace the contents of pg_hba.conf now?
>
> If you've write-protected it, that doesn't work.
>
> Also, COPY insists on an absolute path, and if the attacker doesn't know
> the value of $PGDATA or $HOME then he'll have some difficulty doing
> anything much with it.  I thought that the handy default of $PGDATA in
> the proposed functions was pretty unwise all by itself --- if they don't
> require absolute paths then that's still another new door we'll be opening.

I think he wanted $PGDATA default so a remote user could find the log
location without a problem.  I would prefer to see something specific in
the file name passed to identify PGDATA, but I don't have a problem with
the substitution.  Thinking we have security because they can't guess
pgdata seems like security through obscurity to me.

--
  Bruce Momjian                        |  http://candle.pha.pa.us
  pgman@candle.pha.pa.us               |  (610) 359-1001
  +  If your life is a hard drive,     |  13 Roberts Road
  +  Christ can be your backup.        |  Newtown Square, Pennsylvania 19073