On Wednesday, January 17, 2024 6:30 PM shveta malik <shveta.malik@gmail.com> wrote:
> PFA v63.
I analyzed the security of the slotsync worker and replication connection a bit,
and didn't find issue. Here is detail:
1) data security
First, we are using the role used in primary_conninfo, the role used here is
requested to have REPLICATION or SUPERUSER privilege[1] which means it is
reasonable for the role to modify and read replication slots on the primary.
On the primary, the slotsync worker only queries the pg_replication_view which
doesn't contain any system or user table access, so I think it's safe.
On the standby server, the slot sync worker will not read/write any user table as
well, thus we don't have the risk of executing arbitrary codes in trigger.
2) privilege check
The SQL query of the slotsync worker will take common privilege check on the
primary. If I revoke the function execution privilege on
pg_get_replication_slots from replication user, then the slotsync worker
won't be able to query the pg_replication_slots view. Same is true for the
pg_is_in_recovery function. The slotsync worker will keep reporting ERROR after
revoking which is as expected.
Based on above, I didn't see some security issues for slotsync worker.
[1] https://www.postgresql.org/docs/16/runtime-config-replication.html#GUC-PRIMARY-CONNINFO
Best Regards,
Hou zj
