Re: running logical replication as the subscription owner
Jeff Davis <pgsql@j-davis.com>
From: Jeff Davis <pgsql@j-davis.com>
To: Robert Haas <robertmhaas@gmail.com>
Cc: "pgsql-hackers@postgresql.org" <pgsql-hackers@postgresql.org>, Andres Freund <andres@anarazel.de>, Noah Misch <noah@leadboat.com>
Date: 2023-03-25T00:02:18Z
Lists: pgsql-hackers
On Fri, 2023-03-24 at 10:00 -0400, Robert Haas wrote: > On Fri, Mar 24, 2023 at 3:59 AM Jeff Davis <pgsql@j-davis.com> wrote: > > That's a little confusing, why not just always use the > > SECURITY_RESTRICTED_OPERATION? Is there a use case I'm missing? > > Some concern was expressed -- not sure exactly where the email is > exactly, and it might've been on pgsql-security -- that doing that > categorically might break things that are currently working. The > people who were concerned included Andres and I forget who else. My > gut reaction was the same as yours, just do it always and don't worry > about it. But if people think that users are likely to run afoul of > the SECURITY_RESTRICTED_OPERATION restrictions in practice, then this > is better, and the implementation complexity isn't high. We could > even > think of extending this kind of logic to other places where > SECURITY_RESTRICTED_OPERATION is enforced, if desired. Without a reasonable example, we should probably be on some kind of path to disallowing crazy stuff in triggers that poses only risks and no benefits. Not the job of this patch, but perhaps it can be seen as a step in that direction? > > I am not thrilled with this either, but if you can arrange to run > code > as a certain user without the ability to SET ROLE to that user then > there is, by definition, a potential privilege escalation. I don't think that's "by definition". The code is being executed with the privileges of the person who wrote it. I don't see anything inherently insecure about that. There could be incidental or practical risks, but it's a pretty reasonable thing to do at a high level. > I don't > think we can just dismiss that as a non-issue. If the ability of one > user to potentially become some other user weren't a problem, we > wouldn't need any patch at all. Imagine for example that the table > owner has a trigger which doesn't sanitize search_path. The > subscription owner can potentially leverage that to get the table > owner's privileges. Can you explain? Couldn't we control the subscription process's search path? > In cases where the subscription owner isn't the > superuser, I think the next most likely possibility is that the > subscription owner is some kind of almost-super-user The benefit of delegating to a non-superuser is to contain the risk if that account is compromised. Allowing SET ROLE on tons of accounts diminishes that benefit, a lot. Regards, Jeff Davis
Commits
Same data as JSON:
GET /api/v1/messages/:b64id/commits
the thread's linked commits as JSON, with link sources.
API reference →
-
Honor run_as_owner option in tablesync worker.
- a83edeaf684a 16.0 landed
-
Document new pg_subscription columns.
- bc25d6c54a00 16.0 landed
-
Add a run_as_owner option to subscriptions.
- 482675987bcd 16.0 landed
-
Perform logical replication actions as the table owner.
- 1e10d49b65d6 16.0 landed
-
Add new predefined role pg_create_subscription.
- c3afe8cf5a1e 16.0 cited
-
Respect permissions within logical replication.
- a2ab9c06ea15 15.0 cited
-
Empty search_path in logical replication apply worker and walsender.
- 11da97024abb 14.0 cited
-
Empty search_path in Autovacuum and non-psql/pgbench clients.
- 582edc369cdb 11.0 cited