Re: Proposal: knowing detail of config files via SQL

On 3/2/15 4:47 PM, Robert Haas wrote:
> On Sat, Feb 28, 2015 at 12:27 AM, Stephen Frost <sfrost@snowman.net> wrote:
>> While this generally "works", the usual expectation is that functions
>> that should be superuser-only have a check in the function rather than
>> depending on the execute privilege.  I'm certainly happy to debate the
>> merits of that approach, but for the purposes of this patch, I'd suggest
>> you stick an if (!superuser()) ereport("must be superuser") into the
>> function itself and not work about setting the correct permissions on
>> it.
> 
> -1.  If that policy exists at all, it's a BAD policy, because it
> prevents users from changing the permissions using DDL.  I think the
> superuser check should be inside the function, when, for example, it
> masks some of the output data depending on the user's permissions.
> But I see little virtue in handicapping an attempt by a superuser to
> grant SELECT rights on pg_file_settings.

This is in fact how most if not all code ensures supervisor-only access
to functions, so for the purpose of this patch, I think it is the
correct approach.  Someone may well change that soon after, if the other
ongoing efforts conclude.