On 3/29/17 19:01, Petr Jelinek wrote:
>> So this CREATE SUBSCRIPTION priv actually gives you the power to cause
>> the system to open network connections to the outside world. It's not
>> something you give freely to random strangers -- should be guarded
>> moderately tight, because it could be used as covert channel for data
>> leaking. However, it's 1000x better than requiring superuser for
>> subscription creation, so +1 for the current approach.
>>
> Plus on the other hand you might want to allow somebody to stream data
> from another server but not necessarily allow said person to create new
> objects in the database which standard CREATE privilege would allow. So
> I think it makes sense to push this approach.
One new concern I just thought about is that having GRANT whatever ON
DATABASE would allow a database owner to assign these privileges, but a
database owner is not necessarily someone highly privileged to make this
decision.
So I'm prepared to set this patch to returned with feedback for now.
--
Peter Eisentraut http://www.2ndQuadrant.com/
PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services
