From: | Magnus Hagander <magnus(at)hagander(dot)net> |
---|---|
To: | Simon Riggs <simon(at)2ndquadrant(dot)com> |
Cc: | PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org> |
Subject: | Re: Streaming replication as a separate permissions |
Date: | 2010-12-27 09:36:28 |
Message-ID: | AANLkTi=wZ9AKgVj9xQ-=BUKkNrffdukv54QS0kE8awpR@mail.gmail.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
On Mon, Dec 27, 2010 at 09:32, Simon Riggs <simon(at)2ndquadrant(dot)com> wrote:
> On Thu, 2010-12-23 at 10:53 +0100, Magnus Hagander wrote:
>
>> Here's a patch that changes walsender to require a special privilege
>> for replication instead of relying on superuser permissions. We
>> discussed this back before 9.0 was finalized, but IIRC we ran out of
>> time. The motivation being that you really want to use superuser as
>> little as possible - and since being a replication slave is a read
>> only role, it shouldn't require the maximum permission available in
>> the system.
>
> Is backup part of this new privilege, or not?
The "integrated base backup", once we have that, that's based on the
walsender protocol? yes.
pg_dump style backups? No.
> I think if we're going to introduce a new level of privilege, then we
> should introduce all delegatable privs in one software release. Much
> better than having someone think up a new delegatable priv each release
> for next 5 years.
>
> Other possible ones include unsafe PL creation, seeing logged SQL etc..
That's certainly an option, but that means someone would have to come
up with a list ;) And one that's reasonable - for example, "unsafe pl
creation" is from a security perspective (which is the only thing
that's really intersting here) the same as superuser.
Seeing logged SQL isn't - but being able to filter the logfiles on
that requires a *lot* more than just defining a security privilege. If
we mean "arbitrary log file reading", the easiest way to fix that
would be to stop checking for superuser permissions in the
read-file-function, and instead use the permissions *on the function*
to control it. In fact, that is something that we could (should?) do
for a bunch of other functions as well, so that we can in that way
provide much more granular permissions level than just blanked
assigning of privileges.
--
Magnus Hagander
Me: http://www.hagander.net/
Work: http://www.redpill-linpro.com/
From | Date | Subject | |
---|---|---|---|
Next Message | Dave Page | 2010-12-27 09:52:57 | Re: Streaming replication as a separate permissions |
Previous Message | Николай Ижиков | 2010-12-27 09:28:42 | Re: Archlinux, ossp-uuid |