| From: | Paul Martinez <paulmtz(at)google(dot)com> |
|---|---|
| To: | pgsql-hackers(at)postgresql(dot)org |
| Subject: | Why does creating logical replication subscriptions require superuser? |
| Date: | 2021-01-21 16:20:55 |
| Message-ID: | CACqFVBbx6PDq+=vHM0n78kHzn8tvOM-kGO_2q_q0zNAMT+TzdA@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Hey, all,
I'm working with native logical replication, and I don't fully understand
why logical replication subscribers need to be superusers, nor do I fully
understand the implication of some of the comments made on this page:
https://www.postgresql.org/docs/current/logical-replication-security.html
> A user able to modify the schema of subscriber-side tables can execute
> arbitrary code as a superuser.
Does "execute arbitrary code" here really mean executing arbitrary code on the
machine that is running Postgres, or simply running arbitrary SQL in the
replicating database? Would it only be able to modify data in the database
containing the subscription, or could it modify other databases in the same
cluster? Is there any "blast-radius" to the capabilities gained by such a user?
According to the commit message that added this text, the callout of this
point was added as result of CVE-2020-14349, but the details there don't
really help me understand what the concern is here, nor do I have a deep
understanding of various features that might combine to create a vulnerability.
I'm not sure what arbitrary code could be executed, but my rough guess, based
on some of the other text on that page, is that custom triggers, written in
an arbitrary language (e.g., Python), would run arbitrary code and that is
the concern. Is that correct? And, if so, assuming that Python triggers were
the only way to execute arbitrary code, then simply building Postgres without
Python support would prevent users that can modify the schema from executing
code as superuser. What is the full set of features that could lead to running
arbitrary code in this scenario? Is it just all the different languages that
can be used to write triggers?
Essentially, I'm wondering what a loose proof-of-concept privilege escalation
vulnerability would look like if a non-superuser can modify the schema of
subscriber-side tables.
On a related note, what happens if a superuser creates a subscription, and then
is demoted to a regular user? My understanding is that the worker that applies
the logical changes to the database connects as the user that created the
subscription, so would that prevent potential vulnerabilities in any way?
Thanks,
Paul
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Bharath Rupireddy | 2021-01-21 16:51:30 | Re: Identify missing publications from publisher while create/alter subscription. |
| Previous Message | Bharath Rupireddy | 2021-01-21 16:17:40 | Re: [PATCH] postgres_fdw connection caching - cause remote sessions linger till the local session exit |