Excerpts from Amit Kapila's message of mié jun 13 00:53:47 -0400 2012: > > Unfortunately in src/backend/main/main.c it only does a cursory check > > for --help and --version. So it would need to become a little more > > complicated to scan for -C options at that stage. It's not too much > > if you can assume -C always appears first like the other special > > options detected in that file. > > I am doubtful whether we should make such an exception for -C option, as > this will > be a change in behavior as compare to previous versions. > How to do in code is next step. > According to me the solution I have proposed is safer and already initdb > handles in same way. > > I am waiting for other people opinion on this issue.
I agree with you. The fact that we drop privileges is not only a security measure; it's a robustness one as well. With the current setup, we can confidently say "it's not Postgres' fault" when the system crashes with some weird kernel error. A process running with administrative privs is capable of doing privileged stuff that may override safe interfaces provided by the operating system; a process without admin privs is more constrained and should not be able to cause the system to crash. Any kernel crash, then, is not our responsibility. If we allow -C to run with admin privs, we lose that. -- Álvaro Herrera <alvhe...@commandprompt.com> The PostgreSQL Company - Command Prompt, Inc. PostgreSQL Replication, Consulting, Custom Development, 24x7 support -- Sent via pgsql-bugs mailing list (pgsql-bugs@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-bugs
