On Thu, Dec 23, 2010 at 10:15 AM, Tom Lane <t...@sss.pgh.pa.us> wrote: > Magnus Hagander <mag...@hagander.net> writes: >> Here's a patch that changes walsender to require a special privilege >> for replication instead of relying on superuser permissions. We >> discussed this back before 9.0 was finalized, but IIRC we ran out of >> time. The motivation being that you really want to use superuser as >> little as possible - and since being a replication slave is a read >> only role, it shouldn't require the maximum permission available in >> the system. > > Maybe it needn't require "max" permissions, but one of the motivations > for requiring superusernesss was to prevent Joe User from sucking every > last byte of data out of your database (and into someplace he could > examine it at leisure). This patch opens that barn door wide, because > so far as I can see, it allows anybody at all to grant the replication > privilege ... or revoke it, thereby breaking your replication setup. > I think only superusers should be allowed to change the flag.
I haven't looked at the patch yet, but I think we should continue to allow superuser-ness to be *sufficient* for replication - i.e. superusers will automatically have the replication privilege just as they do any other - and merely allow this as an option for when you want to avoid doing it that way. -- Robert Haas EnterpriseDB: http://www.enterprisedb.com The Enterprise PostgreSQL Company -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
