[#1011223] run-time option to disable SELECT and TARGET

Date:
2012-09-12 20:51 Priority:
3

State:
Open

Submitted by:
Peter Eisentraut (petere) Assigned to:
Nobody (None)

Category:
None Group:
None

Summary:
run-time option to disable SELECT and TARGET

Detailed description
The NO_SELECT compile option is interesting, but many people use binary packages, so it's not very convenient to use. A run-time option to disable SELECT (and perhaps TARGET) would therefore be useful. I imagine something like this: alter server testcluster options (add disable_select '1'); I've looked into the code a bit. Unfortunately, the cluster configuration isn't easily available in the parse phase, so this might take some restructuring.

Followup

Message
Date: 2012-10-31 12:26 Sender: Marko Kreen Well, main point of disabling SELECT (and TARGET) is to restrict somebody who has managed to get superuser access in database. So anything that can be worked around with in-database commands is not that interesting. Non-superusers are already restricted by fact that you need to be superuser to create PL/Proxy functions. And "restrict" here means how it can move to and exploit other systems. Restricting TARGET does not seems that useful as you just need to create another function to work around it. But I would not mind having the option for that as we might add more flexibility to TARGET, thus it might make sense. It would be more interestring to freeze the cluster config somehow, but I don't see sane way to do it. And limiting destination addresses can be done outside of Postgres.
Date: 2012-10-31 12:10 Sender: Marko Kreen Good point about binary packages. I would not bother about checks in parse phase. Instead the config check can happen later if cluster info is also loaded. And does per-cluster config of those items make sense at all? Maybe it would better to have custom GUC's to be put into postgresql.conf instead, for global setting. And no way to work around it.

No Changes Have Been Made to This Item