From: | Mark Dilger <mark(dot)dilger(at)enterprisedb(dot)com> |
---|---|
To: | Robert Haas <robertmhaas(at)gmail(dot)com> |
Cc: | Andres Freund <andres(at)anarazel(dot)de>, Jeff Davis <pgsql(at)j-davis(dot)com>, Amit Kapila <amit(dot)kapila16(at)gmail(dot)com>, Andrew Dunstan <andrew(at)dunslane(dot)net>, PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org> |
Subject: | Re: Non-superuser subscription owners |
Date: | 2023-01-30 16:11:03 |
Message-ID: | E753CB47-8A1B-4339-B06F-6113EA3DB99C@enterprisedb.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
> On Jan 30, 2023, at 7:44 AM, Robert Haas <robertmhaas(at)gmail(dot)com> wrote:
>
> And if we suppose that
> that already works and is safe, well then what's the case where I do
> need a run-as user?
A) Alice publishes tables, and occasionally adds new tables to existing publications.
B) Bob manages subscriptions, and periodically runs "refresh publication". Bob also creates new subscriptions for people when a row is inserted into the "please create a subscription for me" table which Bob owns, using a trigger that Bob created on that table.
C) Alice creates a "please create a subscription for me" table on the publishing database, adds lots of malicious requests, and adds that table to the publication.
D) Bob replicates the table, fires the trigger, creates the malicious subscriptions, and starts replicating all that stuff, too.
I think that having Charlie, not Bob, as the "run-as" user helps somewhere right around (D).
—
Mark Dilger
EnterpriseDB: http://www.enterprisedb.com
The Enterprise PostgreSQL Company
From | Date | Subject | |
---|---|---|---|
Next Message | Drouvot, Bertrand | 2023-01-30 16:18:39 | Re: Minimal logical decoding on standbys |
Previous Message | Sébastien Lardière | 2023-01-30 16:05:36 | Re: Timeline ID hexadecimal format |