Hi!
> - If the user's permissions are later revoked, the subscription is unaffected.
Now it work the same, if we revoke superuser, subscription is unaffected and replication still work
Don't check grants in target database is very dangerous, i create publication with system tables(it's not difficult)
select * from pg_publication_tables ;
pubname | schemaname | tablename
---------+------------+--------------------
pub | pg_catalog | pg_authid
(1 row)
After that i create subscription, in log i see that
2019-03-21 11:19:50.863 MSK [58599] LOG: logical replication table synchronization worker for subscription
"sub_nosuper",table "pg_authid" has started
2019-03-21 11:19:51.039 MSK [58599] ERROR: null value in column "oid" violates not-null constraint
2019-03-21 11:19:51.039 MSK [58599] DETAIL: Failing row contains (null, pg_monitor, f, t, f, f, f, f, f, -1, null,
null).
2019-03-21 11:19:51.039 MSK [58599] CONTEXT: COPY pg_authid, line 1: "pg_monitor f t f f f f f -1 \N
\N"
I think it's no problem use it to attack target server after some hack on publication side.
--------
Efimkin Evgeny
