Initial draft of privilege escalation policy

Tom Lane tgl at
Thu Jan 21 23:54:47 UTC 2010

Adam Williamson <awilliam at> writes:
> Here's a second draft, addressing several (not yet all) of the concerns
> raised about the first.
> ...
> The policy requires that any code which allows an unprivileged user
> account to perform, or cause to be performed, certain actions must
> require authentication as the root user prior to the action being
> carried out.

I think it would be a good idea if this were rephrased so that it did
not sound like "you must give the root password".  Spot's original blog
post specifically mentioned the case of sudo, and there might be other
similar means of authentication that should be considered to allow these

(Unless the intention is to trash the usefulness of sudo, in which
case I'm going to start objecting loudly.)

The other point that sudo brings to mind is that there may be some
"distance" (for lack of a better word) between the authentication and
the authorized action.  I don't think the policy will be good for much
unless it tries to explain that concept and clarify just what amount of
separation we want to allow.

			regards, tom lane

More information about the test mailing list