On Thu, Dec 30, 2010 at 9:54 AM, Peter Eisentraut <peter_e(at)gmx(dot)net> wrote:
> On tor, 2010-12-23 at 17:29 -0500, Tom Lane wrote:
>> Josh Berkus <josh(at)agliodbs(dot)com> writes:
>> > On 12/23/10 2:21 PM, Tom Lane wrote:
>> >> Well, that's one laudable goal here, but "secure by default" is another
>> >> one that ought to be taken into consideration.
>> > I don't see how *not* granting the superuser replication permissions
>> > makes things more secure. The superuser can grant replication
>> > permissions to itself, so why is suspending them by default beneficial?
>> > I'm not following your logic here.
>> Well, the reverse of that is just as true: if we ship it without
>> replication permissions on the postgres user, people can change that if
>> they'd rather not create a separate role for replication. But I think
>> we should encourage people to NOT do it that way. Setting it up that
>> way by default hardly encourages use of a more secure arrangement.
> I think this argument is a bit inconsistent in the extreme. You might
> as well argue that a superuser shouldn't have any permissions by
> default, to discourage users from using it. They can always grant
> permissions back to it. I don't see why this particular one is so
> If we go down this road, we'll end up with a mess of permissions that a
> superuser has and doesn't have.
The Enterprise PostgreSQL Company
In response to
pgsql-hackers by date
|Next:||From: Alvaro Herrera||Date: 2010-12-30 15:18:40|
|Subject: Re: SLRU API tweak|
|Previous:||From: Peter Eisentraut||Date: 2010-12-30 14:54:31|
|Subject: Re: Streaming replication as a separate permissions|