On Wednesday, January 17, 2024 6:30 PM shveta malik <shveta.ma...@gmail.com> wrote: > PFA v63.
I analyzed the security of the slotsync worker and replication connection a bit, and didn't find issue. Here is detail: 1) data security First, we are using the role used in primary_conninfo, the role used here is requested to have REPLICATION or SUPERUSER privilege[1] which means it is reasonable for the role to modify and read replication slots on the primary. On the primary, the slotsync worker only queries the pg_replication_view which doesn't contain any system or user table access, so I think it's safe. On the standby server, the slot sync worker will not read/write any user table as well, thus we don't have the risk of executing arbitrary codes in trigger. 2) privilege check The SQL query of the slotsync worker will take common privilege check on the primary. If I revoke the function execution privilege on pg_get_replication_slots from replication user, then the slotsync worker won't be able to query the pg_replication_slots view. Same is true for the pg_is_in_recovery function. The slotsync worker will keep reporting ERROR after revoking which is as expected. Based on above, I didn't see some security issues for slotsync worker. [1] https://www.postgresql.org/docs/16/runtime-config-replication.html#GUC-PRIMARY-CONNINFO Best Regards, Hou zj
