On Fri, Jul 1, 2022 at 5:15 AM Hannu Krosing <han...@google.com> wrote: > This is the eternal problem with security - more security always > includes more inconvenience.
But the same amount of security can be more or less inconvenient, and I don't think your proposal does very well there. More inconvenience doesn't mean more security. I actually think this whole line of attack is probably a dead end. My preferred approach is to find ways of delegating a larger subset of superuser privileges to non-superusers, or to prevent people from assuming the superuser role in the first place. Trying to restrict what superusers can do seems like a much more difficult path, and I think it might be a dead end. But if such an approach has any hope of success, I think it's going to have to try to create a situation where most of the administration that you need to do can be done most of the time with some sort of restricted superuser privileges, and only in extreme scenarios do you need to change the cluster state to allow full superuser access. There's no such nuance in your proposal. It's just a great big switch that makes superuser mean either nothing, or all the things it means today. I don't think that's really a meaningful step forward. -- Robert Haas EDB: http://www.enterprisedb.com
