From: | Stephen Frost <sfrost(at)snowman(dot)net> |
---|---|
To: | Petr Jelinek <petr(dot)jelinek(at)2ndquadrant(dot)com> |
Cc: | Michael Paquier <michael(at)paquier(dot)xyz>, Andrey Borodin <x4mmm(at)yandex-team(dot)ru>, Euler Taveira <euler(at)timbira(dot)com(dot)br>, Robert Haas <robertmhaas(at)gmail(dot)com>, Evgeniy Efimkin <efimkin(at)yandex-team(dot)ru>, Jeff Davis <pgsql(at)j-davis(dot)com>, "pgsql-hackers(at)postgresql(dot)org" <pgsql-hackers(at)postgresql(dot)org>, Дмитрий Сарафанников <dsarafan(at)yandex-team(dot)ru>, Владимир Бородин <root(at)simply(dot)name> |
Subject: | Re: Special role for subscriptions |
Date: | 2019-03-23 14:52:52 |
Message-ID: | 20190323145252.GV6197@tamriel.snowman.net |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
Greetings,
* Petr Jelinek (petr(dot)jelinek(at)2ndquadrant(dot)com) wrote:
> On 23/03/2019 02:38, Michael Paquier wrote:
> > On Fri, Mar 22, 2019 at 08:41:06PM +0800, Andrey Borodin wrote:
> >> 22 марта 2019 г., в 19:17, Petr Jelinek <petr(dot)jelinek(at)2ndquadrant(dot)com> написал(а):
> >>> I still don't like that we are running the subscription workers as
> >>> superuser even for subscriptions created by regular user. That has
> >>> plenty of privilege escalation issues in terms of how user functions are
> >>> run (we execute triggers, index expressions etc, in that worker).
> >>
> >> Yes, this is important concern, thanks! I think it is not a big deal
> >> to run worker without superuser privileges too.
>
> Yes we should run without superuser privileges but perhaps more
> importantly we need to so me kind of security checks on tables while
> applying - the fact that the user had access to a table when
> subscription was created does not mean it will have it in 5 minutes and
> given our low level API usage in the worker, there is currently no check
> for that.
Agreed, and that's exactly the same as what I was telling Andrey at
PGConf APAC when he and I were discussing the subscription role. The
specific suggestion that I had was to check for every transaction,
though that was a pretty off-the-cuff idea and someone might have a
better one, certainly.
> > FWIW, the argument from Petr is very scary. So please let me think
> > that it is a pretty big deal.
> >
> >> Yes, this patch is a pure security implication and nothing else.
> >
> > And this is especially *why* it needs careful screening.
>
> Yep that was exactly my point.
>
> I agree the feature is important, it just does not seem like the patch
> is RFC and given security implications I err on the side of safety here.
Agreed.
Thanks!
Stephen
From | Date | Subject | |
---|---|---|---|
Next Message | Julien Rouhaud | 2019-03-23 16:18:11 | Re: Ordered Partitioned Table Scans |
Previous Message | Fabien COELHO | 2019-03-23 13:14:02 | Re: Offline enabling/disabling of data checksums |