Robert Haas <robertmh...@gmail.com> writes: > On Mon, Feb 27, 2017 at 1:24 AM, Tom Lane <t...@sss.pgh.pa.us> wrote: >> * I'm not terribly comfortable about what the permissions levels of the >> GUCs ought to be. ... Maybe we'd better make them both SUSET.
> Making them SUSET sounds like a usability fail to me. I'm not sure > how bad the security risks of NOT making them SUSET are, but I think > if we find that SUSET is required for safety then we've squeezed most > of the value out of the feature. Well, the feature it's replacing (autoload an "unknown" module) had to be squeezed down to being effectively superuser-only, so we're not really losing anything compared to where we are now. And the more I think about it, the less I think we can introduce a new security-critical GUC and just leave it as USERSET. regards, tom lane -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers