Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1n6FfG-0005Pm-LH for pgsql-hackers@arkaria.postgresql.org; Sat, 08 Jan 2022 17:38:02 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.92) (envelope-from ) id 1n6FfF-00070R-Fw for pgsql-hackers@arkaria.postgresql.org; Sat, 08 Jan 2022 17:38:01 +0000 Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29]) by malur.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1n6FfF-00070I-6h for pgsql-hackers@lists.postgresql.org; Sat, 08 Jan 2022 17:38:01 +0000 Received: from sss.pgh.pa.us ([66.207.139.130]) by magus.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1n6FfB-0001GH-6e for pgsql-hackers@postgresql.org; Sat, 08 Jan 2022 17:38:00 +0000 Received: from sss1.sss.pgh.pa.us (localhost [127.0.0.1]) by sss.pgh.pa.us (8.15.2/8.15.2) with ESMTP id 208HbnmO1502450; Sat, 8 Jan 2022 12:37:49 -0500 From: Tom Lane To: Jeff Davis cc: Amit Kapila , Mark Dilger , Andrew Dunstan , PostgreSQL-development , Robert Haas Subject: Re: Non-superuser subscription owners In-reply-to: <3c86885b0facc66eede94113123c1c3be39837fe.camel@j-davis.com> References: <9DFC88D3-1300-4DE8-ACBC-4CEF84399A53@enterprisedb.com> <6BB4451E-7B1B-474C-BD1F-DB7531E720C6@enterprisedb.com> <6A2B0FF6-CC86-48CE-B0D3-5401AA5CFEA9@enterprisedb.com> <1BB0A553-3FE9-4A91-A975-6F9D8C157FBD@enterprisedb.com> <7C62876F-5D19-4B5C-96AC-5590B10A49B2@enterprisedb.com> <66f55a6b9ff7bdd6bfd0d05e8fd8351690e69e23.camel@j-davis.com> <92BEDE2A-8043-4F50-9BD8-46977A9A2972@enterprisedb.com> <3c86885b0facc66eede94113123c1c3be39837fe.camel@j-davis.com> Comments: In-reply-to Jeff Davis message dated "Sat, 08 Jan 2022 09:14:59 -0800" MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-ID: <1502448.1641663469.1@sss.pgh.pa.us> Date: Sat, 08 Jan 2022 12:37:49 -0500 Message-ID: <1502449.1641663469@sss.pgh.pa.us> List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk Jeff Davis writes: > I'm not sure I follow the reasoning. Are you saying that, to logically > replay a simple DELETE, the subscription owner should have SELECT > privileges on the destination table? We consider that DELETE WHERE requires SELECT privilege on the column(s) read by the . I suppose that the point here is to enforce the same privilege checks that occur in normal SQL operation, so yes. > Is there a way that a subscription owner could somehow exploit a DELETE > privilege to see the contents of a table on which they have no SELECT > privileges? BEGIN; DELETE FROM tab WHERE col = 'foo'; -- note deletion count ROLLBACK; Now you have some information about whether "col" contains 'foo'. Admittedly, it might be a pretty low-bandwidth way to extract data, but we still regard it as a privilege issue. regards, tom lane