andrew(at)dunslane(dot)net (Andrew Dunstan) writes:
> Joshua D. Drake wrote:
>>> As a protection against malice, yes. I think Rod was more
>>> interested in some protection against stupidity.
>>> Maybe the real answer is that Slony should connect as a
>>> non-superuser and call security definer functions for the
>>> privileged things it needs to do.
>> Wouldn't that break Slony's ability to connect to older postgresql
>> versions and replicate?
> I don't know anything of Slony's internals, but I don't see why older
> versions should matter - Postgres has had security definer functions
> for every release that Slony supports. Maybe I'm missing something ...
Most of Slony-I's activities don't require superuser access. The
usual thing that's running are SYNC events, and those merely require
write access to some internal Slony-I tables and write access to the
replicated tables on the subscribers.
The functions that do need superuser access are (basically)
- subscribe set (needs to alter system tables)
- execute script (ditto)
The trouble is that you in effect need to have that superuser up and
ready for action at any time in case it's needed, and it being that
needful, we basically use it all the time.
Perhaps it's worth looking at shoving the superuser stuff into
SECURITY DEFINER functions; that may be worth considering
output = reverse("gro.gultn" "@" "enworbbc")
Wow! Windows now can do everything using shared library DLLs, just
like Multics did back in the 1960s! Maybe someday they'll discover
separate processes and pipes, which came out in the 1970s!
In response to
pgsql-hackers by date
|Next:||From: Tom Lane||Date: 2006-07-31 17:06:04|
|Subject: Re: tg_trigtuple not NULL in AFTER STATEMENT triggers? |
|Previous:||From: Jim C. Nasby||Date: 2006-07-31 16:40:21|
|Subject: Re: [HACKERS] extension for sql update|