Re: Insufficient attention to security in contrib (mostly)

Tom,

> ... in particular, that restriction seems pretty content-free for most
> practical layouts.  And it's got interesting security behaviors:
> DBA A, by more-or-less innocently allowing some tables in his database B
> to be created in tablespace C, might be allowing his unrelated user D to
> find out info about some other database E that shares use of C.  I'd
> like there to have to be some direct, intended connection of D to E
> before D can measure E's size ...

Well, that puts us back in the position of requiring a "read" or "metadata" 
permission for tablespaces, or requiring superuser access.  The latter is 
unpalatable because there are existing tools in the field which work without 
superuser access; the former is troublesome because it wouldn't be used for 
anything other than the dbsize function, at least not right now.

-- 
Josh Berkus
PostgreSQL @ Sun
San Francisco