Re: About "ERROR: must be *superuser* to COPY to or from a file"
| От | Greg Stark |
|---|---|
| Тема | Re: About "ERROR: must be *superuser* to COPY to or from a file" |
| Дата | |
| Msg-id | 87br3e3i7i.fsf@stark.xeocode.com обсуждение исходный текст |
| Ответ на | Re: About "ERROR: must be *superuser* to COPY to or from (Scott Marlowe <smarlowe@g2switchworks.com>) |
| Ответы |
Re: About "ERROR: must be *superuser* to COPY to or from a file"
Re: About "ERROR: must be *superuser* to COPY to or from a file" |
| Список | pgsql-general |
Scott Marlowe <smarlowe@g2switchworks.com> writes: > Plus, how is the server supposed to KNOW that you have access to the > file? psql may know who you are, but the server only knows who you are > in the "postgresql" sense, not the OS sense. My original suggestion was that clients connected via unix domain sockets should be allowed to read any file owned by the same uid as the connecting client. (Which can be verified using getpeereid/SO_PEERCRED/SCM_CREDS.) Alternatively and actually even better and more secure would be passing the fd directly from the client to the server over the socket. That avoids any question of the server bypassing any security restrictions. The client is responsible for opening the file under its privileges and handing the resulting fd to the server over the socket. None of this helps for remote clients of course but remote clients can just ftp the file to the server anyways and some manual intervention is necessarily needed by the DBA to create a security policy for them. -- greg
В списке pgsql-general по дате отправления: