Greetings, * Petr Jelinek (petr.jeli...@2ndquadrant.com) wrote: > On 23/03/2019 02:38, Michael Paquier wrote: > > On Fri, Mar 22, 2019 at 08:41:06PM +0800, Andrey Borodin wrote: > >> 22 марта 2019 г., в 19:17, Petr Jelinek <petr.jeli...@2ndquadrant.com> > >> написал(а): > >>> I still don't like that we are running the subscription workers as > >>> superuser even for subscriptions created by regular user. That has > >>> plenty of privilege escalation issues in terms of how user functions are > >>> run (we execute triggers, index expressions etc, in that worker). > >> > >> Yes, this is important concern, thanks! I think it is not a big deal > >> to run worker without superuser privileges too. > > Yes we should run without superuser privileges but perhaps more > importantly we need to so me kind of security checks on tables while > applying - the fact that the user had access to a table when > subscription was created does not mean it will have it in 5 minutes and > given our low level API usage in the worker, there is currently no check > for that.
Agreed, and that's exactly the same as what I was telling Andrey at PGConf APAC when he and I were discussing the subscription role. The specific suggestion that I had was to check for every transaction, though that was a pretty off-the-cuff idea and someone might have a better one, certainly. > > FWIW, the argument from Petr is very scary. So please let me think > > that it is a pretty big deal. > > > >> Yes, this patch is a pure security implication and nothing else. > > > > And this is especially *why* it needs careful screening. > > Yep that was exactly my point. > > I agree the feature is important, it just does not seem like the patch > is RFC and given security implications I err on the side of safety here. Agreed. Thanks! Stephen
signature.asc
Description: PGP signature
