Re: Streaming replication as a separate permissions

Stephen Frost <sfrost@snowman.net>

From: Stephen Frost <sfrost@snowman.net>
To: Josh Berkus <josh@agliodbs.com>
Cc: Tom Lane <tgl@sss.pgh.pa.us>, Robert Haas <robertmhaas@gmail.com>, Magnus Hagander <magnus@hagander.net>, PostgreSQL-development <pgsql-hackers@postgresql.org>
Date: 2010-12-23T22:33:42Z
Lists: pgsql-hackers

Commits

Same data as JSON: GET /api/v1/messages/:b64id/commits the thread's linked commits as JSON, with link sources. API reference →
  1. Allow Win32 to compile under MinGW. Major changes are:

* Josh Berkus (josh@agliodbs.com) wrote:
> On 12/23/10 2:21 PM, Tom Lane wrote:
> > Well, that's one laudable goal here, but "secure by default" is another
> > one that ought to be taken into consideration.
> 
> I don't see how *not* granting the superuser replication permissions
> makes things more secure.  The superuser can grant replication
> permissions to itself, so why is suspending them by default beneficial?
>  I'm not following your logic here.

The point is that the *replication* role can't grant itself superuser
privs.  Having the replication role compromised isn't great, but if that
role is *also* a superuser, then the whole database server could be
compromised.  Encouraging users to continue to configure remote systems
with the ability to connect as a superuser when it's not necessary is a
bad idea.

One compromise would be to:

a) let superusers be granted the replication permission
b) have pg_dump assume that superusers have that permission when dumping
   from a version which pre-dates the replication grant
c) have pg_upgrade assume the superuser has that permission when
   upgrading
d) *not* grant replication to the default superuser 

A better alternative, imv, would be to just have a & d, and mention in
the release notes that users *should* create a dedicated replication
role which is *not* a superuser but *does* have the replication grant,
but if they don't want to change their existing configurations, they can
just grant the replication privilege to whatever role they're currently
using.

	Thanks,

		Stephen