On Mon, Apr 10, 2017 at 10:08 PM, Stephen Frost <sfr...@snowman.net> wrote: > Generally speaking, we should be trying to move away from superuser-only > anything, not introducing more of it.
I totally agree, which is why I was rather surprised when you vigorously objected to my attempts to replace the remainder of the main tree's superuser checks that completely block execution of certain SQL functions with privilege grants. The parameters within which you find explicit superuser checks tolerable are extremely murky to me. > If the connection string can have > sensitive data in it, ... I would argue that a great deal of what's in a connection string could potentially be sensitive. Do you want to disclose to unprivileged users potentially-useful host names, IP addresses, port numbers, user names, passwords, and/or required SSL settings? I don't think we should assume any of that stuff to be generally OK to disclose to non-superusers. It could be OK to disclose to everyone in some installations, or to some people even in highly secure installations, but the idea that there is nobody who cares about obscuring the majority of what goes into a connection string doesn't sound right to me. -- Robert Haas EnterpriseDB: http://www.enterprisedb.com The Enterprise PostgreSQL Company -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
