Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1pfrNW-0008MQ-0P for pgsql-hackers@arkaria.postgresql.org; Sat, 25 Mar 2023 00:03:26 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.92) (envelope-from ) id 1pfrMV-0004gd-WF for pgsql-hackers@arkaria.postgresql.org; Sat, 25 Mar 2023 00:02:24 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1pfrMV-0004gU-Lf for pgsql-hackers@lists.postgresql.org; Sat, 25 Mar 2023 00:02:23 +0000 Received: from mail-pl1-x633.google.com ([2607:f8b0:4864:20::633]) by makus.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.92) (envelope-from ) id 1pfrMT-00018I-1q for pgsql-hackers@postgresql.org; Sat, 25 Mar 2023 00:02:22 +0000 Received: by mail-pl1-x633.google.com with SMTP id c18so3287425ple.11 for ; Fri, 24 Mar 2023 17:02:20 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=j-davis-com.20210112.gappssmtp.com; s=20210112; t=1679702540; h=mime-version:user-agent:content-transfer-encoding:references :in-reply-to:date:cc:to:from:subject:message-id:from:to:cc:subject :date:message-id:reply-to; bh=w62M1msll7/YRef3NShz9TaLXd5BuC/ZP7KQ3HE1l18=; b=RRPHAJPVOAuccvJN52ySibyHfqQgRxrRo9ZUkBgCUs7PGaoSbp0E/xIIM3F64Day1k uvyDH4o4RF/rVVRstuJkYnJCgFDJmdlyWiIeNrof2LVSJhOmsSDVBDccs+Rn6TZWQ2bc 63FT5XiQlUF9xFx/gWspv08DeRyN46wH3WfLnjNYmaAJMWlW9HvCl1EcWrwbdnlhZVWm hnsqFF/VdWcGxpQDK+20b6KuQHjbbBy23liSMKC824VVXlgNowNcKT7oGmU+y8qUJLqS sqas36YsHVPHNtmsy6CzSjMU7Zb6d6xMb/9XhE6tNIYkY+ptDkQ1DnZMU7YldsVddwSS t49g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; t=1679702540; h=mime-version:user-agent:content-transfer-encoding:references :in-reply-to:date:cc:to:from:subject:message-id:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=w62M1msll7/YRef3NShz9TaLXd5BuC/ZP7KQ3HE1l18=; b=keMT7DaDFHY/AEt1BnnoAvAHPOwEebblXhbwp3NOjaV9AYtLXZcp0hpCu+gOBGFcqb j0alTId3CEvlRPSOQ3EWyl7ayCh2HK7xl25+RRsyJQFs5HtaZ8s9xywVAmKMxQ22a9yC GwK6GwkxrxnulN2P9SD3DLmDNNAebCqTBmRCcNHYB1zaVf3LPzw/XY/7Dv8xGr+9WfIG 9qc6erSRMeaqqKzxf0zpaV0XsMstTun0sZtrryIaB7R7oBTFAz05u1klmM9Rkn+khNyd Ftp6aDqWQ5eMETdh0QjnGEskPS/MuOzcpvHc6LJX9A/F1bcgmFoIKaZg6LTF5abOhQwp n8zQ== X-Gm-Message-State: AAQBX9d2esBHWl5V2iJ61kKOVrXxWLU0cJfwduVogV/KCN6xnQcXcfxt OmAOl/v1Syt39UJHTPvJUcs7EQ== X-Google-Smtp-Source: AKy350Z4YIf0BWYetYt9ff9DBwvgWW169y7wzpWXyMsfguTKxES3H5AdiWDvsPIDkvb01tEpEk//uA== X-Received: by 2002:a17:902:da8a:b0:19e:b2f3:e8c4 with SMTP id j10-20020a170902da8a00b0019eb2f3e8c4mr5192076plx.25.1679702540039; Fri, 24 Mar 2023 17:02:20 -0700 (PDT) Received: from jeff-laptop.lan (c-73-70-96-208.hsd1.ca.comcast.net. [73.70.96.208]) by smtp.gmail.com with ESMTPSA id j1-20020a17090276c100b00195f0fb0c18sm14731638plt.31.2023.03.24.17.02.19 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 24 Mar 2023 17:02:19 -0700 (PDT) Message-ID: Subject: Re: running logical replication as the subscription owner From: Jeff Davis To: Robert Haas Cc: "pgsql-hackers@postgresql.org" , Andres Freund , Noah Misch Date: Fri, 24 Mar 2023 17:02:18 -0700 In-Reply-To: References: <68d5974b80e54672b59ff13e59d046c1e982fcd8.camel@j-davis.com> Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable User-Agent: Evolution 3.44.4-0ubuntu1 MIME-Version: 1.0 List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk On Fri, 2023-03-24 at 10:00 -0400, Robert Haas wrote: > On Fri, Mar 24, 2023 at 3:59=E2=80=AFAM Jeff Davis wr= ote: > > That's a little confusing, why not just always use the > > SECURITY_RESTRICTED_OPERATION? Is there a use case I'm missing? >=20 > Some concern was expressed -- not sure exactly where the email is > exactly, and it might've been on pgsql-security -- that doing that > categorically might break things that are currently working. The > people who were concerned included Andres and I forget who else. My > gut reaction was the same as yours, just do it always and don't worry > about it. But if people think that users are likely to run afoul of > the SECURITY_RESTRICTED_OPERATION restrictions in practice, then this > is better, and the implementation complexity isn't high. We could > even > think of extending this kind of logic to other places where > SECURITY_RESTRICTED_OPERATION is enforced, if desired. Without a reasonable example, we should probably be on some kind of path to disallowing crazy stuff in triggers that poses only risks and no benefits. Not the job of this patch, but perhaps it can be seen as a step in that direction? >=20 > I am not thrilled with this either, but if you can arrange to run > code > as a certain user without the ability to SET ROLE to that user then > there is, by definition, a potential privilege escalation. I don't think that's "by definition". The code is being executed with the privileges of the person who wrote it. I don't see anything inherently insecure about that. There could be incidental or practical risks, but it's a pretty reasonable thing to do at a high level. > I don't > think we can just dismiss that as a non-issue. If the ability of one > user to potentially become some other user weren't a problem, we > wouldn't need any patch at all. Imagine for example that the table > owner has a trigger which doesn't sanitize search_path. The > subscription owner can potentially leverage that to get the table > owner's privileges. Can you explain? Couldn't we control the subscription process's search path? > In cases where the subscription owner isn't the > superuser, I think the next most likely possibility is that the > subscription owner is some kind of almost-super-user The benefit of delegating to a non-superuser is to contain the risk if that account is compromised. Allowing SET ROLE on tons of accounts diminishes that benefit, a lot. Regards, Jeff Davis