From: | Andres Freund <andres(at)anarazel(dot)de> |
---|---|
To: | pgsql-hackers(at)postgresql(dot)org |
Cc: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Stephen Frost <sfrost(at)snowman(dot)net>, Robert Haas <robertmhaas(at)gmail(dot)com>, Harold Giménez <harold(dot)gimenez(at)gmail(dot)com> |
Subject: | Re: pg_upgrade improvements |
Date: | 2012-04-05 16:24:55 |
Message-ID: | 201204051824.56092.andres@anarazel.de |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
On Thursday, April 05, 2012 06:12:48 PM Tom Lane wrote:
> Andres Freund <andres(at)anarazel(dot)de> writes:
> > On Thursday, April 05, 2012 05:39:19 PM Tom Lane wrote:
> >> Yeah, that would be a small pain in the neck, but it eliminates a huge
> >> pile of practical difficulties, like your blithe assumption that you can
> >> find a "private directory" somewhere (wrong) or disallow access to other
> >> people (also wrong, if they are using the same account as you).
> >
> > I don't think this needs to protect against malicious intent of a user
> > running with the *same* privileges as the postmaster.
>
> Who said anything about malicious intent? Please re-read the original
> gripe in this thread. There's nothing un-legitimate about, eg, clients
> trying to connect to the database during your maintenance window.
Yes, there is not. But those clients won't connect to a socket in some
directory thats created extra for this purpose which they don't even know the
name of. Scanning the directory tree for that would require malicious intent.
> What we want is to be sure that nobody can connect to the database
> except the person running the standalone instance. To my mind "sure"
> means "sure"; it does not include qualifiers like "unless some
> other process tries to do the same thing at about the same time".
Its not like creating a file/directory/pipename with a random name and
retrying if it already exists is an especially hard thing. That does make
*sure* it does not happen by accident. Beside the fact that single run backend
should already make sure were not running concurrently. So even a *fixed*
atomically created filename name should be enough if its not the regular name
and in a place thats not accessible from the outside.
Anyway, I don't think those reasons are sensible, but I don't care enough to
argue further.
Andres
From | Date | Subject | |
---|---|---|---|
Next Message | Tom Lane | 2012-04-05 16:29:23 | Re: pgsql_fdw, FDW for PostgreSQL server |
Previous Message | Robert Haas | 2012-04-05 16:19:15 | Re: Finer Extension dependencies |