Tom Lane wrote: > It looks to me like the code in AlterSetting() will allow an ordinary > user to blow away all settings for himself. Even those that are for > SUSET variables and were presumably set for him by a superuser. Isn't > this a security hole? I would expect that an unprivileged user should > not be able to change such settings, not even to the extent of > reverting to the installation-wide default.
Yes, I completely overlooked the fact that users should not be able to blow away GUCs set by superuser. I can't handle this right now though, as I'm leaving in a couple of days and won't return until cca. Dec. 1st. If this can wait (and I think it does) then I'll handle it then; otherwise I'd appreciate if someone else could take a look and fix it. -- Alvaro Herrera http://www.CommandPrompt.com/ The PostgreSQL Company - Command Prompt, Inc. -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
