On Aug 15, 2013 3:44 AM, "Tom Lane" <t...@sss.pgh.pa.us> wrote: > > Josh Berkus <j...@agliodbs.com> writes: > >> Before 9.3, it would delete one specific file from a potentially shared > >> directory. In 9.3 it deletes the entire contents of a potentially shared > >> directory. That is a massive expansion in the surface area for > >> unintentional deletion. If we will disallow using shared directories > >> before the time 9.3 is released, that would fix it one way, but I don't > >> know if that is the plan or not. > > > I can't see doing that. I can see adding the requirement for 9.3, and > > then documenting it though. > > I think we should change 9.3 to be restrictive about ownership/permissions > on the stats_temp_directory (ie, require owner = postgres user, > permissions = 0700, same as for the $PGDATA directory). I agree that > back-patching such a change to the older branches is probably not a good
+1 > > In addition to that, it might be a good idea to do what the comment in the > code suggests, namely do more than zero checking on each file name to try > to make sure it looks like a stats temp file name that we'd generate > before we delete it. The ownership/permissions test wouldn't be enough > to prevent you from pointing at, say, ~postgres and thereby losing some > files you'd rather not. +1 on that as well. It shouldn't be that hard to do. /Magnus
