On 23/03/2019 02:38, Michael Paquier wrote: > On Fri, Mar 22, 2019 at 08:41:06PM +0800, Andrey Borodin wrote: >> 22 марта 2019 г., в 19:17, Petr Jelinek <petr.jeli...@2ndquadrant.com> >> написал(а): >>> I still don't like that we are running the subscription workers as >>> superuser even for subscriptions created by regular user. That has >>> plenty of privilege escalation issues in terms of how user functions are >>> run (we execute triggers, index expressions etc, in that worker). >> >> Yes, this is important concern, thanks! I think it is not a big deal >> to run worker without superuser privileges too. >
Yes we should run without superuser privileges but perhaps more importantly we need to so me kind of security checks on tables while applying - the fact that the user had access to a table when subscription was created does not mean it will have it in 5 minutes and given our low level API usage in the worker, there is currently no check for that. See the 0004 patch in https://www.postgresql.org/message-id/0b477a34-01c5-ad97-b408-79f4e0e64...@2ndquadrant.com . > FWIW, the argument from Petr is very scary. So please let me think > that it is a pretty big deal. > >> Yes, this patch is a pure security implication and nothing else. > > And this is especially *why* it needs careful screening. > Yep that was exactly my point. I agree the feature is important, it just does not seem like the patch is RFC and given security implications I err on the side of safety here. -- Petr Jelinek http://www.2ndQuadrant.com/ PostgreSQL Development, 24x7 Support, Training & Services
