Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1pfnks-0005c3-Ii for pgsql-hackers@arkaria.postgresql.org; Fri, 24 Mar 2023 20:11:18 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.92) (envelope-from ) id 1pfnkr-0001Sj-2D for pgsql-hackers@arkaria.postgresql.org; Fri, 24 Mar 2023 20:11:17 +0000 Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29]) by malur.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1pfnkq-0001RW-OC for pgsql-hackers@lists.postgresql.org; Fri, 24 Mar 2023 20:11:16 +0000 Received: from mail-pf1-x436.google.com ([2607:f8b0:4864:20::436]) by magus.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.92) (envelope-from ) id 1pfnki-000647-5C for pgsql-hackers@postgresql.org; Fri, 24 Mar 2023 20:11:16 +0000 Received: by mail-pf1-x436.google.com with SMTP id i15so1993958pfo.8 for ; Fri, 24 Mar 2023 13:11:07 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=enterprisedb.com; s=google; t=1679688666; h=to:references:message-id:content-transfer-encoding:cc:date :in-reply-to:from:subject:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=8wPRR6BrkDh5DuvcFLkeTuiVQ527EJ+yrc/o/1b1k9U=; b=JZWTe2zKfhiYk3pWOa4JsjgYls1e4R4teq+cT5fZOxef5xCIZpEhjzwO6G6QEPUY5F 8MyRLDjeEN/jM1SoLqMtmUS1Aw3dhRgMFK8hIE/5DOQ6eM2qpZwYY19R+2fnHGJka2ep vVL9hy8h0GQZ/i9HmmYDHs4t3dItttk8E89xU6+M8PW51d26io9phGMWfKbw8F/b5BlV LRXEStOpUkuGYpvEIlnU++raJpP6AuCE7AaADd+qW+6pzB5g98QFM/U5YDo15fAkY58M nVzcPi5ufCN1UTcrIkabDou6+qGGP4shhvRvf9acZXpZiWiJPkfcmsU0Po6biMVf9ZXT oMlQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; t=1679688666; h=to:references:message-id:content-transfer-encoding:cc:date :in-reply-to:from:subject:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=8wPRR6BrkDh5DuvcFLkeTuiVQ527EJ+yrc/o/1b1k9U=; b=d+yRqQRCFGLflKZx+aj9HOMfTJdaohb9iMDwGPkyuQYIVoUbk9DrjsXY1hnr0zfkPf I+ScEjVemK5wdNi1Vk3IoAcmdtQI6eTgflKothpv3ltFVzotDfBCzwMAX8eoKiBp9zxQ p2H4hRflSs7emnXw5YJG6xgXqIvvEPbiUxBnEMC0Lg0lfeNeiMQKQ9MfMOkDnyvr5yUw Ll2ZztuN7+5bA0PGiG1pt3f6C5r+eoKTg6dYphjquOZb1Dj1bhDLvJCdxhFg1reVBwWz ZxrVHzMGReOQi/51tgXKsY9MD4B03JjhNGOyPnh24+BYdPiNV0JLGTnFcnwEfkhroWwb W6Eg== X-Gm-Message-State: AAQBX9d9IpVLEUlI2dCvbOXzWejcLJIJJuJKOpujP/+y/UjvI6y0+T/l 20z+neF4eECPCl6gGRs9K3ADAZz5sDUxRlyT1YfzG16WcVNwPSpDK+YTciRnijVmVJgtoxWvUL7 oXUKTwHx6rzWH2JPxHgVPGlKCl2txIEvqcY79yHMldQuRXaxpz4ep8JmIJTAGnoKwOF5D56nOue Fs0LxucRkK9XC452ZRx5nkhhp7MKmIhRQg7cHh X-Google-Smtp-Source: AKy350Yfpizn8sHuKGq9nbG4rFOn8Vj1FBR9EAEjj/oj8IUiZEE9lWvuWdNGVfRud4utk07GgEhbnw== X-Received: by 2002:aa7:9ece:0:b0:627:f9ac:8a31 with SMTP id r14-20020aa79ece000000b00627f9ac8a31mr4048668pfq.2.1679688665728; Fri, 24 Mar 2023 13:11:05 -0700 (PDT) Received: from smtpclient.apple (24-113-193-150.wavecable.com. [24.113.193.150]) by smtp.gmail.com with ESMTPSA id v21-20020aa78515000000b006259beddb63sm13848987pfn.44.2023.03.24.13.11.05 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Fri, 24 Mar 2023 13:11:05 -0700 (PDT) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3731.400.51.1.1\)) Subject: Re: running logical replication as the subscription owner From: Mark Dilger In-Reply-To: Date: Fri, 24 Mar 2023 13:11:10 -0700 Cc: Jeff Davis , "pgsql-hackers@postgresql.org" , Andres Freund , Noah Misch Content-Transfer-Encoding: quoted-printable Message-Id: <3D54D77A-20F2-42EC-8167-586C65E7074A@enterprisedb.com> References: <68d5974b80e54672b59ff13e59d046c1e982fcd8.camel@j-davis.com> To: Robert Haas X-Mailer: Apple Mail (2.3731.400.51.1.1) X-CLOUD-SEC-AV-Info: enterprisedb,google_mail,monitor X-CLOUD-SEC-AV-Sent: true X-Gm-Spam: 0 X-Gm-Phishy: 0 List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk > On Mar 24, 2023, at 11:35 AM, Robert Haas = wrote: >=20 > I don't know how bad that sounds to you, and if it does sound bad, I > don't immediately see how to mitigate it. As I said to Jeff, if you > can replicate into a table that has a casually-written SECURITY > INVOKER trigger on it, you can probably hack into the table owner's > account. I assume you mean this bit: > > Imagine for example that the table > > owner has a trigger which doesn't sanitize search_path. The > > subscription owner can potentially leverage that to get the table > > owner's privileges. I don't find that terribly convincing. First, there's no reason a = subscription owner should be an ordinary user able to volitionally do = anything. The subscription owner should just be a role that the = subscription runs under, as a means of superuser dropping privileges = before applying changes. So the only real problem would be that the = changes coming from the publisher might, upon application, hack the = table owner. But if that's the case, the table owner's vulnerability on = the subscription-database side is equal to their vulnerability on the = publication-database side (assuming equal schemas on both). Flagging = this vulnerability as being logical replication related seems a category = error. Instead, it's a schema vulnerability. > So I think that if we allow user A to replicate into user B's > table with fewer privileges than A-can-set-role-to-B, we're building a > privilege-escalation attack into the system. But if we do require > A-can-set-role-to-B, then things change as described above. I don't understand the direction this patch is going. I'm emphatically = not objecting to it, merely expressing my confusion about it. I had imagined the solution to the replication security problem was to = stop running the replication as superuser, and instead as a trivial = user. Imagine that superuser creates roles "deadhead_bob" and = "deadhead_alice" which cannot log in, are not members of any groups nor = have any other roles as members of themselves, and have no privileges = beyond begin able to replicate into bob's and alice's tables, = respectively. The superuser sets up the subscriptions disabled, = transfers ownership to deadhead_bob and deadhead_alice, and only then = enables the subscriptions. Since deadhead_bob and deadhead_alice cannot log in, and nobody can set = role to them, I don't see what the vulnerability is. Sure, maybe alice = can attack deadhead_alice, or bob can attack deadhead_bob, but that's = more of a privilege deescalation than a privilege escalation, so where's = the risk? That's not a rhetorical question. Is there a risk here? Or = are we just concerned that most users will set up replication with = superuser or some other high-privilege user, and we're trying to protect = them from the consequences of that choice? =E2=80=94 Mark Dilger EnterpriseDB: http://www.enterprisedb.com The Enterprise PostgreSQL Company