Was looking through the new docs and noticed that the example for
creating a database in an alternate location has trouble:
$ mkdir private_db
$ initlocation ~/private_db
Creating Postgres database system directory
/home/olly/private_db/base
$ chmod a+rx private_db
$ chmod a+rwx private_db/base
$ psql
...
The chmod's are a Bad Idea (tm) since it blows the security assumptions
for Postgres. The protections are explicitly set by initlocation to lock
down these directories.
I guess that the alternate location setup (initlocation) was really
meant as a tool for the Postgres administrator, not for individual
users. If users create alternate locations, and then for example create
a database and then delete the directories from the file system rather
than through Postgres things will become ugly. The assumption is that
the administrator is likely to be more careful since she is likely to be
more aware of the issues.
I have (or had) some #ifdef code which _requires_ that environment
variables be used to specify alternate locations, rather than allowing
absolute paths also. This helps ensure that locations are used which
have been set up by the Postgres administrator, since the admin must
have defined the environment variables for the backend before it starts
up.
I'm not sure how to write an example which had initlocation being run by
someone other than the Postgres superuser while still being clear on
these security/integrity issues. What would you suggest?
- Tom
