Re: Hardening PostgreSQL via (optional) ban on local file system access

On Wed, 2022-06-29 at 00:05 -0700, Andres Freund wrote:
> On 2022-06-29 08:51:10 +0200, Laurenz Albe wrote:
> > On Tue, 2022-06-28 at 16:27 -0700, Andres Freund wrote:
> > > > Experience shows that 99% of the time one can run PostgreSQL just fine
> > > > without a superuser
> > > 
> > > IME that's not at all true. It might not be needed interactively, but that's
> > > not all the same as not being needed at all.
> > 
> > I also disagree with that.  Not having a superuser is one of the pain
> > points with using a hosted database: no untrusted procedural languages,
> > no untrusted extensions (unless someone hacked up PostgreSQL or provided
> > a workaround akin to a SECURITY DEFINER function), etc.
> 
> I'm not sure what exactly you're disagreeing with? I'm not saying that
> superuser isn't needed interactively in general, just that there are
> reasonably common scenarios in which that's the case.

I was unclear, sorry.  I agreed with you that you can't do without superuser
and disagreed with the claim that 99% of the time nobody needs superuser
access.

Yours,
Laurenz Albe