Alvaro Herrera <alvhe...@commandprompt.com> writes:
> Tom Lane wrote:
>> It looks to me like the code in AlterSetting() will allow an ordinary
>> user to blow away all settings for himself. Even those that are for
>> SUSET variables and were presumably set for him by a superuser. Isn't
>> this a security hole? I would expect that an unprivileged user should
>> not be able to change such settings, not even to the extent of
>> reverting to the installation-wide default.
> Yes, it is, but this is not a new hole. This works just fine in 8.4
> too:
So I'd argue for changing it in 8.4 too.
regards, tom lane
--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers
