Scott Marlowe <smarlowe@xxxxxxxxxxxxxxxxx> writes: > Plus, how is the server supposed to KNOW that you have access to the > file? psql may know who you are, but the server only knows who you are > in the "postgresql" sense, not the OS sense. My original suggestion was that clients connected via unix domain sockets should be allowed to read any file owned by the same uid as the connecting client. (Which can be verified using getpeereid/SO_PEERCRED/SCM_CREDS.) Alternatively and actually even better and more secure would be passing the fd directly from the client to the server over the socket. That avoids any question of the server bypassing any security restrictions. The client is responsible for opening the file under its privileges and handing the resulting fd to the server over the socket. None of this helps for remote clients of course but remote clients can just ftp the file to the server anyways and some manual intervention is necessarily needed by the DBA to create a security policy for them. -- greg ---------------------------(end of broadcast)--------------------------- TIP 6: explain analyze is your friend
