Alvaro Herrera <alvhe...@commandprompt.com> writes: > Tom Lane wrote: >> It looks to me like the code in AlterSetting() will allow an ordinary >> user to blow away all settings for himself. Even those that are for >> SUSET variables and were presumably set for him by a superuser. Isn't >> this a security hole? I would expect that an unprivileged user should >> not be able to change such settings, not even to the extent of >> reverting to the installation-wide default.
> Yes, it is, but this is not a new hole. This works just fine in 8.4 > too: So I'd argue for changing it in 8.4 too. regards, tom lane -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers