Re: logical changeset generation v6.2 - Mailing list pgsql-hackers
From | Robert Haas |
---|---|
Subject | Re: logical changeset generation v6.2 |
Date | |
Msg-id | CA+TgmoaZ0RDE5qdWXx0wuDQi-APCnV_YjB2GTziYhU8hRsUW8g@mail.gmail.com Whole thread Raw |
In response to | Re: logical changeset generation v6.2 (Andres Freund <andres@2ndquadrant.com>) |
List | pgsql-hackers |
On Tue, Oct 15, 2013 at 10:56 AM, Andres Freund <andres@2ndquadrant.com> wrote: >> > That means you allow trivial remote code execution since you could try >> > to load system() or something else that's available in every shared >> > object. Now you can argue that that's OK since we have special checks >> > for replication connections, but I'd rather not go there. >> >> Well, obviously you can't let somebody load any library they want. >> But that's pretty much true anyway; LOAD had better be confined to >> superusers unless there is something (like a pg_proc entry) that >> provides "prior authorization" for that specific load. > > Currently you can create users that have permissions for replication but > which are not superusers. I think we should strive to providing that > capability for changeset extraction as well. I agree. >> >> Perhaps this ought to work similarly. Create a function in pg_proc >> >> which returns the structure containing the function pointers. Then, >> >> when that output plugin is selected, it'll automatically trigger >> >> loading the correct shared library if that's needed; and the shared >> >> library name may (but need not) match the output plugin name. >> > >> > I'd like to avoid relying on inserting stuff into pg_proc because that >> > makes it harder to extract WAL from a HS standby. Requiring to configure >> > that on the primary to extract data on the standby seems confusing to >> > me. >> > >> > But perhaps that's the correct solution :/ >> >> That's a reasonable concern. I don't have another idea at the moment, >> unless we want to allow replication connections to issue LOAD >> commands. Then you can LOAD the library, so that the plug-in is >> registered under the well-known name you expect it to have, and then >> use that name to start replication. > > But what's the advantage of that over the current situation or one where > PG_load_output_plugin() is called? The current and related > implementations allow you to only load libraries in some designated > postgres directories and it doesn't allow you to call any arbitrary > functions in there. Well, I've already said why I don't like conflating the library name and the plugin name. It rules out core plugins and libraries that provide multiple plugins. I don't have anything to add to that. > Would you be content with a symbol "PG_load_output_plugin" being called > that fills out the actual callbacks? Well, it doesn't fix the muddling of library names with output plugin names, but I suppose I'd find it a modest improvement. >> > Well, just providing the C API + an example in a first step didn't work >> > out too badly for FDWs. I am pretty sure that once released there will >> > soon be extensions for it on PGXN or whatever for special usecases. >> >> I suspect so, too. But I also think that if that's the only thing >> available in the first release, a lot of users will get a poor initial >> impression. > > I think lots of people will expect a builtin logical replication > solution :/. Which seems a tad unlikely to arrive in 9.4. Yep. -- Robert Haas EnterpriseDB: http://www.enterprisedb.com The Enterprise PostgreSQL Company
pgsql-hackers by date: