On Fri, Jan 18, 2019 at 09:50:40AM -0500, Stephen Frost wrote: > Yes, we should update the documentation in this regard, though it's > really an independent thing as that documentation should have been > updated in the original group-access patch, so I'll see about fixing > it and back-patching it.
Stephen, could you apply Hari's patch then? I am not sure what the consensus is, but documenting the restriction is the minimum we can do. - The default permissions are <literal>0600</literal>, meaning only the - server owner can read or write the log files. The other commonly - useful setting is <literal>0640</literal>, allowing members of the owner's - group to read the files. Note however that to make use of such a - setting, you'll need to alter <xref linkend="guc-log-directory"/> to - store the files somewhere outside the cluster data directory. In - any case, it's unwise to make the log files world-readable, since - they might contain sensitive data. + The default permissions are either <literal>0600</literal>, meaning only the + server owner can read or write the log files or <literal>0640</literal>, that + allows any user in the same group can read the log files, based on the new + cluster created with <option>--allow-group-access</option> option of <command>initdb</command> + command. Note however that to make use of any setting other than default, + you'll need to alter <xref linkend="guc-log-directory"/> to store the files + somewhere outside the cluster data directory. I would formulate that differently, by just adding an extra paragraph to mention that using <literal>0640</literal> is recommended to be compatible with initdb's --allow-group-access instead of sticking it on the middle of the existing paragraph. -- Michael
signature.asc
Description: PGP signature