Re: Updated instrumentation patch

Magnus Hagander wrote:
>
> > > > Also, as I already said, marking it as PGC_POSTMASTER is
> > simply not
> > > > adequate security.  Once we have some sort of remote
> > admin feature,
> > > > I would expect it to support adjustment of even postmaster-level
> > > > options (this would mean forcing a database restart of
> > course) ---
> > > > you can hardly say that you have a complete remote admin
> > solution if
> > > > you can't change shared_buffers or max_connections.
> > >
> > > The point is you cannot *enable* it once it is *disabled*. Thus you
> > > cannot *elevate* your privileges. Thus not a security issue.
> >
> > I think any secure solution is going to have to block all
> > write access to postgresql.conf, and that includes all the
> > COPY TO and all the untrusted languages.
>
> Exactly. But we won't get that for 8.1. So for now, we block all write
> access through *new* functions, per the "let's at least not add more
> security holes" rule.

As far as I know, the only new functionality the patch adds _over_ copy
is the ability to write nulls, and rename/unlink.  Should we just throw
an error when writing null bytes?

--
  Bruce Momjian                        |  http://candle.pha.pa.us
  pgman@candle.pha.pa.us               |  (610) 359-1001
  +  If your life is a hard drive,     |  13 Roberts Road
  +  Christ can be your backup.        |  Newtown Square, Pennsylvania 19073