[offlist]
> 22 янв. 2021 г., в 13:16, Thomas Kellerer <shammat@gmx.net> написал(а):
>
> Andrey Borodin schrieb am 22.01.2021 um 08:32:
>
>> Replication is running under superuser and e.g. one can add system catalog to subscription.
>> Or exploit this fact other way. Having superuser you can just COPY FROM PROGRAM anything.
>
> It was my understanding that the replication process itself runs with the user specified
> when creating the subscription - which is no necessarily a superuser. Only a user that
> is part of the "replication" role.
>
> The replication user also needs to be granted SELECT privileges on all tables of the publication,
> so it's quite easy to control what the replication user has access to.
> Plus the publication also limits what the replication can see.
>
> I second the idea that not requiring a superuser to create a subscription would make things
> a lot easier. We worked around that by creating a security definer function that runs
> the CREATE SUBSCRIPTION command.
Hi! Yes, at Yandex.Cloud we want it too
https://www.postgresql.org/message-id/flat/1269681541151271%40myt5-68ad52a76c91.qloud-c.yandex.net
And we run PG with patches that create special role for replication that allows you to create subscriptions for tables
youown.
We successfully created exploits against Aiven and AWS RDS services gaining superuser with their ways of subscription
creation(and reported vulnerabilities, of cause). Probably, you have this (not so scary) vulnerability too.
Best regards, Andrey Borodin.
