Andrew Sullivan <[EMAIL PROTECTED]> writes: > I guess I'm dumb, but I'm not seeing how these environment variables > are a big security risk.
The trouble with relying on environment variables for paths (especially paths to places that we might scribble on) is that the postmaster has no idea which strings in its environment were actually intended for that use, and which were not. As an example, the postmaster very likely has $HOME in its environment. This means that anyone with createdb privilege can try to create a database in the postgres user's home directory. It's relatively harmless (since what will actually get mkdir'd is some name like /home/postgres/base/173918, which likely can't overwrite anything interesting) but it's still not a good idea. $PWD would be another likely attack point, and possibly one could do something with $PATH, not to mention any custom environment variables that might happen to exist in the local environment. If we add more environment-variable-dependent mechanisms to allow more different things to be done, we increase substantially the odds of creating an exploitable security hole. > In any case, it'd be a _very good_ thing to have a tablespace-like > facility. Absolutely. But let's not drive it off environment variables. A config file is far safer. regards, tom lane ---------------------------(end of broadcast)--------------------------- TIP 2: you can get off all lists at once with the unregister command (send "unregister YourEmailAddressHere" to [EMAIL PROTECTED])