> > How is this different from the fact that the superuser can > already use > > COPY to accomplish the same thing? > > COPY can accomplish a few of the same things, much less > conveniently (for instance, it's darn hard to write an > arbitrary binary file through COPY).
Right. But the *security* problem is more or less equal. If somebody hacks your superuser account, they can make at least almost the same amount of damage. It may take a little more work, but if you just want to kill the system by overwriting files, or overwriting say the password file, it's just as easy. And if what you want to do is stick some kind of executable o nthe system, you can just wrap it in a shellscript that will unpack it. > If COPY provided all the same functionality, then Andreas > would just use that and not be so worried about having this > patch. QED. Oh, Andreas could edit postgresql.conf and whatever using COPY, no doubt. And he could read the logfiles that way. But it would be very hackish. From what I see this is just providing a different interface to similar functionality. But the point I'm trying to make is that the *security implications* are more or less the same, just with a thin layer of security-through-obscurity over one of them. Bottom line: If somebody hacks your superuser, you've lost your database. If your database service user has write access to sensitive areas, or if you later log in as root (or whatever) and execute any files that the database service user has write access to, you've lost your box. This holds true with or without the patch. //Magnus ---------------------------(end of broadcast)--------------------------- TIP 2: Don't 'kill -9' the postmaster