Re: logfile subprocess and Fancy File Functions

Bruce Momjian <pgman@candle.pha.pa.us> writes:
> Tom Lane wrote:
>> Also, while I'm aware that a superuser can persuade the backend to write
>> on anything, it doesn't follow that we should invent pg_file_write(),
>> pg_file_rename(), or pg_file_unlink().

> I think the analogy is locking one door but leaving the other door
> unlocked.

Not only that, but posting a sign out front telling which door is
unlocked.

As for the analogy to COPY, the addition of unlink/rename to a hacker's
tool set renders the situation far more dangerous than if he only has
write.  Write will not allow him to hack write-protected files, but he
might be able to rename them out of the way and create new trojaned
versions...

            regards, tom lane