From: | Stephen Frost <sfrost(at)snowman(dot)net> |
---|---|
To: | Josh Berkus <josh(at)agliodbs(dot)com> |
Cc: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Robert Haas <robertmhaas(at)gmail(dot)com>, Magnus Hagander <magnus(at)hagander(dot)net>, PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org> |
Subject: | Re: Streaming replication as a separate permissions |
Date: | 2010-12-23 22:33:42 |
Message-ID: | 20101223223342.GA4933@tamriel.snowman.net |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
* Josh Berkus (josh(at)agliodbs(dot)com) wrote:
> On 12/23/10 2:21 PM, Tom Lane wrote:
> > Well, that's one laudable goal here, but "secure by default" is another
> > one that ought to be taken into consideration.
>
> I don't see how *not* granting the superuser replication permissions
> makes things more secure. The superuser can grant replication
> permissions to itself, so why is suspending them by default beneficial?
> I'm not following your logic here.
The point is that the *replication* role can't grant itself superuser
privs. Having the replication role compromised isn't great, but if that
role is *also* a superuser, then the whole database server could be
compromised. Encouraging users to continue to configure remote systems
with the ability to connect as a superuser when it's not necessary is a
bad idea.
One compromise would be to:
a) let superusers be granted the replication permission
b) have pg_dump assume that superusers have that permission when dumping
from a version which pre-dates the replication grant
c) have pg_upgrade assume the superuser has that permission when
upgrading
d) *not* grant replication to the default superuser
A better alternative, imv, would be to just have a & d, and mention in
the release notes that users *should* create a dedicated replication
role which is *not* a superuser but *does* have the replication grant,
but if they don't want to change their existing configurations, they can
just grant the replication privilege to whatever role they're currently
using.
Thanks,
Stephen
From | Date | Subject | |
---|---|---|---|
Next Message | Josh Berkus | 2010-12-23 22:38:11 | Re: Streaming replication as a separate permissions |
Previous Message | Tom Lane | 2010-12-23 22:29:13 | Re: Streaming replication as a separate permissions |