Jim,
* Jim Nasby (Jim.Nasby@BlueTreble.com) wrote:
> We may need to bite the bullet and allow changing the user that the
> postgres process runs under so it doesn't match who owns the files.
> Maybe there's a way to allow that other than having the process
> start as root.
That's an interesting thought but it doesn't seem too likely to work out
for us. The process still has to be able to read and write the files,
create new files in the PGDATA directories, etc.
> Or maybe there's some other way we could restrict what a DB
> superuser can do in the shell.
This could be done with SELinux and similar tools, but at the end of the
day the answer, in my view really, is to have fewer superusers and for
those superusers to be understood to have OS-level shell access. We
don't want to deal with all of the security implications of trying to
provide a "trusted" superuser when that user can create functions in
untrusted languages, modify the catalog directly, etc, it really just
doesn't make sense.
Thanks,
Stephen