public inbox for [email protected]  
help / color / mirror / Atom feed
From: Mark Dilger <[email protected]>
To: Robert Haas <[email protected]>
Cc: Jeff Davis <[email protected]>
Cc: [email protected] <[email protected]>
Cc: Andres Freund <[email protected]>
Cc: Noah Misch <[email protected]>
Subject: Re: running logical replication as the subscription owner
Date: Fri, 24 Mar 2023 09:58:57 -0700
Message-ID: <[email protected]> (raw)
In-Reply-To: <CA+TgmoaE35kKS3-zSvGiZszXP9Tb9rNfYzT=+fO8Ehk5EDKrag@mail.gmail.com>
References: <CA+TgmoaSCkg9ww9oppPqqs+9RVqCexYCE6Aq=UsYPfnOoDeFkw@mail.gmail.com>
	<[email protected]>
	<CA+TgmoaE35kKS3-zSvGiZszXP9Tb9rNfYzT=+fO8Ehk5EDKrag@mail.gmail.com>



> On Mar 24, 2023, at 7:00 AM, Robert Haas <[email protected]> wrote:
> 
> More generally, Stephen Frost has elsewhere argued that we should want
> the subscription owner to be a very low-privilege user, so that if
> their privileges get stolen, it's no big deal. I disagree with that. I
> think it's always a problem if one user can get unauthorized access to
> another user's account, regardless of exactly what those accounts can
> do. I think our goal should be to make it safe for the subscription
> owner to be a very high-privilege user, because you're going to need
> to be a very high-privilege user to set up replication. And if you do
> have that level of privilege, it's more convenient and simpler if you
> can just own the subscription yourself, rather than having to make a
> dummy account to own it. To put that another way, I think that what
> people are going to want to do in a lot of cases is have the superuser
> own the subscription, so I think we need to make that case safe,
> whatever it takes.

I also think the subscription owner should be a low-privileged user, owing to the risk of the publisher injecting malicious content into the publication.  I think you are focused on all the bad actors on the subscription-side database and what they can do to each other.  That's also valid, but I get the impression that you're losing sight of the risk posed by malicious publishers.  Or maybe you aren't, and can explain?

—
Mark Dilger
EnterpriseDB: http://www.enterprisedb.com
The Enterprise PostgreSQL Company









view thread (7+ messages)  latest in thread

reply

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Reply to all the recipients using the --to and --cc options:
  reply via email

  To: [email protected]
  Cc: [email protected], [email protected], [email protected], [email protected], [email protected]
  Subject: Re: running logical replication as the subscription owner
  In-Reply-To: <[email protected]>

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox