On Thu, Dec 23, 2010 at 10:15 AM, Tom Lane <tgl@sss.pgh.pa.us> wrote:
> Magnus Hagander <magnus@hagander.net> writes:
>> Here's a patch that changes walsender to require a special privilege
>> for replication instead of relying on superuser permissions. We
>> discussed this back before 9.0 was finalized, but IIRC we ran out of
>> time. The motivation being that you really want to use superuser as
>> little as possible - and since being a replication slave is a read
>> only role, it shouldn't require the maximum permission available in
>> the system.
>
> Maybe it needn't require "max" permissions, but one of the motivations
> for requiring superusernesss was to prevent Joe User from sucking every
> last byte of data out of your database (and into someplace he could
> examine it at leisure). This patch opens that barn door wide, because
> so far as I can see, it allows anybody at all to grant the replication
> privilege ... or revoke it, thereby breaking your replication setup.
> I think only superusers should be allowed to change the flag.
I haven't looked at the patch yet, but I think we should continue to
allow superuser-ness to be *sufficient* for replication - i.e.
superusers will automatically have the replication privilege just as
they do any other - and merely allow this as an option for when you
want to avoid doing it that way.
--
Robert Haas
EnterpriseDB: http://www.enterprisedb.com
The Enterprise PostgreSQL Company
