On 2013-12-23 18:28:51 +0100, Magnus Hagander wrote: > On Dec 19, 2013 12:06 AM, "Andres Freund" <andres@2ndquadrant.com> wrote: > > > > Hi Magnus, > > > > It looks to me like the path to do_pg_start_backup() outside of a > > transaction context comes from your initial commit of the base backup > > facility. > > The problem is that you're not allowed to do anything leading to a > > syscache/catcache lookup in those contexts. > > I think that may have come with the addition of the replication privilege > actually but that doesn't change the fact that yes, it appears broken..
There was a if (!superuser()) check there before as well, that has the same dangers.
I think the correct fix is to move the security check outside of do_pg_start_backup() and leave it to the caller. That means pg_start_backup() for a manual backup. And for a streaming base backup the check has already been made - you can't get through the authentication step if you don't have the required permissions.
