> On Jan 30, 2023, at 7:44 AM, Robert Haas <robertmh...@gmail.com> wrote:
>
> And if we suppose that
> that already works and is safe, well then what's the case where I do
> need a run-as user?
A) Alice publishes tables, and occasionally adds new tables to existing
publications.
B) Bob manages subscriptions, and periodically runs "refresh publication". Bob
also creates new subscriptions for people when a row is inserted into the
"please create a subscription for me" table which Bob owns, using a trigger
that Bob created on that table.
C) Alice creates a "please create a subscription for me" table on the
publishing database, adds lots of malicious requests, and adds that table to
the publication.
D) Bob replicates the table, fires the trigger, creates the malicious
subscriptions, and starts replicating all that stuff, too.
I think that having Charlie, not Bob, as the "run-as" user helps somewhere
right around (D).
—
Mark Dilger
EnterpriseDB: http://www.enterprisedb.com
The Enterprise PostgreSQL Company