Alvaro Herrera wrote: > Tom Lane wrote: > > Alvaro Herrera <alvhe...@commandprompt.com> writes: > > > Tom Lane wrote: > > >> It looks to me like the code in AlterSetting() will allow an ordinary > > >> user to blow away all settings for himself. Even those that are for > > >> SUSET variables and were presumably set for him by a superuser. Isn't > > >> this a security hole? I would expect that an unprivileged user should > > >> not be able to change such settings, not even to the extent of > > >> reverting to the installation-wide default. > > > > > Yes, it is, but this is not a new hole. This works just fine in 8.4 > > > too: > > > > So I'd argue for changing it in 8.4 too. > > Understood. I'm starting to look at what this requires.
Any progress on this? -- Bruce Momjian <br...@momjian.us> http://momjian.us EnterpriseDB http://enterprisedb.com PG East: http://www.enterprisedb.com/community/nav-pg-east-2010.do + If your life is a hard drive, Christ can be your backup. + -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
