On 2019-Apr-01, Tom Lane wrote: > Magnus Hagander <magnus@xxxxxxxxxxxx> writes: > > On Sat, Mar 30, 2019 at 10:16 PM Tom Lane <tgl@xxxxxxxxxxxxx> wrote: > >> Yeah; this is supposing that there is a security boundary between > >> Postgres superusers and the OS account running the server, which > >> there is not. We could hardly have features like untrusted PLs > >> if we were trying to maintain such a boundary. > > > I wonder if we need to prepare some sort of official response to that. > > I was considering writing up a blog post about it, but maybe we need > > something more official? > > Blog post seems like a good idea. As for an "official" response, > it strikes me that maybe we need better documentation. I'm not sure > that we spell out anywhere what we think the security model is. > There are plenty of scattered warnings about unsafe things, but > if there's any specific statement equivalent to what I just > wrote above, I can't remember where. > > (By the same token, I'm not sure where would be a good place > to put it ...) Apparently we had a "Security" chapter in version 7.0, which got removed, and we recently got a complaint about that: https://postgr.es/m/CABxk5gCBhLSdrHZVnKUyKk2gR+tcWKNEQ2E-Wnf6OtSJtQ3Ueg@xxxxxxxxxxxxxx I think Peter is right that we may not want to duplicate the contents of each section, but I think it makes sense to have a chapter in "Part III. Server Administration", maybe just after chapters 26 or 27, where some security considerations are put forth with references to the detailed docs on security for each aspect of the system. -- Álvaro Herrera https://www.2ndQuadrant.com/ PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services