* Tom Lane (t...@sss.pgh.pa.us) wrote: > I think we'd be better off trying to fix the security issue by > constraining what can be executed as a "standalone backend". Would > it work to insist that psql/pg_dump launch the program named postgres > from the same bin directory they're in, rather than accepting a path > from the connection string?
Couldn't that be an issue for people who have multiple major versions of binaries installed? In particular, the "default" on the system for psql might be 9.3 while the cluster you're trying to recover may be 9.2. Of course, in that case you might say to use the 9.2 psql, which would be fair, but what if you're looking to get the data out of the 9.2 DB and into the 9.3? In that case, we'd recommend using the 9.3 pg_dump. Basically, I'd suggest that we try and avoid things like "the binaries have to be in the same directory".. With regard to access to the socket, perhaps we create our own socket w/ 0600 and use that? Seems like it'd be sufficient to prevent the 'normal' users from getting into the DB while we're working on it. If there's two different individuals gettings into the same system and trying to start the same cluster as the same unix user, well.. I'm not convinced we'd be able to come up with a perfect solution to that anyway. Thanks, Stephen
signature.asc
Description: Digital signature