| From: | Bruce Momjian <bruce(at)momjian(dot)us> |
|---|---|
| To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
| Cc: | Peter Eisentraut <peter_e(at)gmx(dot)net>, Robert Haas <robertmhaas(at)gmail(dot)com>, PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: pg_upgrade using appname to lock out other users |
| Date: | 2011-06-17 22:59:29 |
| Message-ID: | 201106172259.p5HMxTL12097@momjian.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Tom Lane wrote:
> Peter Eisentraut <peter_e(at)gmx(dot)net> writes:
> > On ons, 2011-06-15 at 17:50 -0400, Tom Lane wrote:
> >> Bruce Momjian <bruce(at)momjian(dot)us> writes:
> >>> Peter Eisentraut wrote:
> >>>> On non-Windows servers you could get this even safer by disabling the
> >>>> TCP/IP socket altogether, and placing the Unix-domain socket in a
> >>>> private temporary directory. The "port" wouldn't actually matter then.
>
> >>> Yes, it would be nice to just create the socket in the current
> >>> directory. The fact it doesn't work on Windows would cause our docs to
> >>> have to differ for Windows, which seems unfortunate.
>
> >> It still wouldn't be bulletproof against someone running as the postgres
> >> user, so probably not worth the trouble.
>
> > But the postgres user would normally be the DBA itself, so it'd be his
> > own fault. I don't see how you can easily make any process safe from
> > interference by the same user account.
>
> Well, the point here is that it's not bulletproof, it's just making it
> incrementally harder to connect accidentally. Given that Windows
> wouldn't be covered, I don't see that it's worth the trouble compared to
> just switching to a nondefault port number. (Am I wrong to think that
> Windows users are more likely to mess up here?)
Windows is not covered if we shut off TCP and just use unix domain
sockets --- that is the only Windows-specific part I know. Windows does
work with the non-default port, and with writing the password to a file.
(FYI, I think we would need to use PGPASSWORD for the password file
option, and we don't recommend PGPASSWORD use in our docs.)
PG 9.1 already has code to lock out non-super users, but only for 9.1+
servers --- writing a password to a file would have the same only 9.2+
restriction. Non-default port numbers would work for all PG versions
because that is tied to the pg_upgrade binary.
Again, everything is easy to do --- we just have to decide. I hoped my
listing 5 items would unleash a flood of votes --- no such luck.
--
Bruce Momjian <bruce(at)momjian(dot)us> http://momjian.us
EnterpriseDB http://enterprisedb.com
+ It's impossible for everything to be true. +
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Tom Lane | 2011-06-17 23:14:03 | pgsql: Don't use "cp -i" in the example WAL archive_command. |
| Previous Message | Tom Lane | 2011-06-17 22:41:24 | Re: ALTER TABLE lock strength reduction patch is unsafe |