Re: running logical replication as the subscription owner
Robert Haas <robertmhaas@gmail.com>
From: Robert Haas <robertmhaas@gmail.com>
To: Mark Dilger <mark.dilger@enterprisedb.com>
Cc: Jeff Davis <pgsql@j-davis.com>, "pgsql-hackers@postgresql.org" <pgsql-hackers@postgresql.org>,
Andres Freund <andres@anarazel.de>, Noah Misch <noah@leadboat.com>
Date: 2023-03-24T18:35:19Z
Lists: pgsql-hackers
On Fri, Mar 24, 2023 at 12:58 PM Mark Dilger <mark.dilger@enterprisedb.com> wrote: > I also think the subscription owner should be a low-privileged user, owing to the risk of the publisher injecting malicious content into the publication. I think you are focused on all the bad actors on the subscription-side database and what they can do to each other. That's also valid, but I get the impression that you're losing sight of the risk posed by malicious publishers. Or maybe you aren't, and can explain? You have a point. As things stand today, if you think somebody's going to send you changes to tables other than the ones you intend to replicate, you could handle that by making sure that the user that owns the subscription only has permission to write to the tables that are expected to receive replicated data. It's a bit awkward to set up because you have to initially make the subscription owner a superuser and then later remove the superuser bit, so I think this is another argument for the pg_create_subscription patch posted elsewhere, but if you're a superuser yourself, you can do it. However, with this patch, that wouldn't work any more, because the permissions checks don't happen until after we've switched to the target role. You could alternatively set up a user to own the subscription who has the ability to SET ROLE to some users and not others, but that only lets you restrict replication based on which user owns the tables, rather than which specific tables are getting data replicated into them. That actually wouldn't work today, and with the patch it would start working, so basically the effect of the patch on the problem that you mention would be to remove the ability to filter by specific table and add the ability to filter by owning role. I don't know how bad that sounds to you, and if it does sound bad, I don't immediately see how to mitigate it. As I said to Jeff, if you can replicate into a table that has a casually-written SECURITY INVOKER trigger on it, you can probably hack into the table owner's account. So I think that if we allow user A to replicate into user B's table with fewer privileges than A-can-set-role-to-B, we're building a privilege-escalation attack into the system. But if we do require A-can-set-role-to-B, then things change as described above. I suppose in theory we could check both A-can-set-role-to-B and A-can-modify-this-table-as-A, but that feels pretty unprincipled. I can't particularly see why A should need permission to perform an action that is actually going to be performed as B; what makes sense is to check that A can become B, and that B has permission to perform the action, which is the state that this patch would create. I guess there are other things we could do, too, like add replication restriction or filtering capabilities specifically to address this problem, or devise some other kind of new kind of permission system around this, but I don't have a specific idea what that would look like. -- Robert Haas EDB: http://www.enterprisedb.com
Commits
Same data as JSON:
GET /api/v1/messages/:b64id/commits
the thread's linked commits as JSON, with link sources.
API reference →
-
Honor run_as_owner option in tablesync worker.
- a83edeaf684a 16.0 landed
-
Document new pg_subscription columns.
- bc25d6c54a00 16.0 landed
-
Add a run_as_owner option to subscriptions.
- 482675987bcd 16.0 landed
-
Perform logical replication actions as the table owner.
- 1e10d49b65d6 16.0 landed
-
Add new predefined role pg_create_subscription.
- c3afe8cf5a1e 16.0 cited
-
Respect permissions within logical replication.
- a2ab9c06ea15 15.0 cited
-
Empty search_path in logical replication apply worker and walsender.
- 11da97024abb 14.0 cited
-
Empty search_path in Autovacuum and non-psql/pgbench clients.
- 582edc369cdb 11.0 cited