Re: Remote administration functionality

On Sat, Jul 30, 2005 at 09:35:16PM -0700, Steve Atkins wrote:
> On Sat, Jul 30, 2005 at 11:39:20PM -0400, Bruce Momjian wrote:
> > Let me try to outline where I think our goals are for remote
> > administration.  I will not comment on Dave's analysis of the patch
> > review process, but I think he has some valid points that this patch was
> > not treated properly.
> > 
> > Basically, I think everyone wants remote administration.  Remote
> > administration requires several things:
> > 
> >     o  edit postgresql.conf
> >     o  edit pg_hba.conf
> >     o  reload the config files
> >     o  restart the server (for config variables requiring restart)
> >     o  view log files
> >     o  recycle log files
> >     o  rename/remove log files
> > 
> > All these items are on the TODO list already.
> 
> My security spider-sense tingles when I see the ability for a remote
> attacker to not only completely override password, certificate and IP
> absed authentication but also to easily remove logfiles.

Yes, I'd trim that part to support only rename of log files, and
constrain the destination to the log directory.  (I guess I don't need
to mention that all log file operations are already constrained to files
inside the log directory.)

For the "edit postgresql.conf" part I guess it would be important to
have some settings that would not be changeable via this interface.

-- 
Alvaro Herrera (<alvherre[a]alvh.no-ip.org>)
"La primera ley de las demostraciones en vivo es: no trate de usar el sistema.
Escriba un guión que no toque nada para no causar daños." (Jakob Nielsen)