On 23/03/2019 02:38, Michael Paquier wrote:
> On Fri, Mar 22, 2019 at 08:41:06PM +0800, Andrey Borodin wrote:
>> 22 марта 2019 г., в 19:17, Petr Jelinek <petr.jelinek@2ndquadrant.com> написал(а):
>>> I still don't like that we are running the subscription workers as
>>> superuser even for subscriptions created by regular user. That has
>>> plenty of privilege escalation issues in terms of how user functions are
>>> run (we execute triggers, index expressions etc, in that worker).
>>
>> Yes, this is important concern, thanks! I think it is not a big deal
>> to run worker without superuser privileges too.
>
Yes we should run without superuser privileges but perhaps more
importantly we need to so me kind of security checks on tables while
applying - the fact that the user had access to a table when
subscription was created does not mean it will have it in 5 minutes and
given our low level API usage in the worker, there is currently no check
for that.
See the 0004 patch in
https://www.postgresql.org/message-id/0b477a34-01c5-ad97-b408-79f4e0e6414b@2ndquadrant.com
.
> FWIW, the argument from Petr is very scary. So please let me think
> that it is a pretty big deal.
>
>> Yes, this patch is a pure security implication and nothing else.
>
> And this is especially *why* it needs careful screening.
>
Yep that was exactly my point.
I agree the feature is important, it just does not seem like the patch
is RFC and given security implications I err on the side of safety here.
--
Petr Jelinek http://www.2ndQuadrant.com/
PostgreSQL Development, 24x7 Support, Training & Services