On Thu, Dec 23, 2010 at 16:15, Tom Lane <t...@sss.pgh.pa.us> wrote: > Magnus Hagander <mag...@hagander.net> writes: >> Here's a patch that changes walsender to require a special privilege >> for replication instead of relying on superuser permissions. We >> discussed this back before 9.0 was finalized, but IIRC we ran out of >> time. The motivation being that you really want to use superuser as >> little as possible - and since being a replication slave is a read >> only role, it shouldn't require the maximum permission available in >> the system. > > Maybe it needn't require "max" permissions, but one of the motivations > for requiring superusernesss was to prevent Joe User from sucking every > last byte of data out of your database (and into someplace he could > examine it at leisure). This patch opens that barn door wide, because > so far as I can see, it allows anybody at all to grant the replication > privilege ... or revoke it, thereby breaking your replication setup. > I think only superusers should be allowed to change the flag.
That was certainly not intentional - and doesn't work that way for me at least, unless I broke it right before I submitted it. oh hang on.. Yeah, it's allowing anybody *that has CREATE ROLE* privilege to do it, I think. And I agree that's wrong and should be fixed. But I can't see it allowing anybody at all to do it - am I misreading the code? -- Magnus Hagander Me: http://www.hagander.net/ Work: http://www.redpill-linpro.com/ -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers