* Josh Berkus ([email protected]) wrote: > On 12/23/10 2:21 PM, Tom Lane wrote: > > Well, that's one laudable goal here, but "secure by default" is another > > one that ought to be taken into consideration. > > I don't see how *not* granting the superuser replication permissions > makes things more secure. The superuser can grant replication > permissions to itself, so why is suspending them by default beneficial? > I'm not following your logic here.
The point is that the *replication* role can't grant itself superuser
privs. Having the replication role compromised isn't great, but if that
role is *also* a superuser, then the whole database server could be
compromised. Encouraging users to continue to configure remote systems
with the ability to connect as a superuser when it's not necessary is a
bad idea.
One compromise would be to:
a) let superusers be granted the replication permission
b) have pg_dump assume that superusers have that permission when dumping
from a version which pre-dates the replication grant
c) have pg_upgrade assume the superuser has that permission when
upgrading
d) *not* grant replication to the default superuser
A better alternative, imv, would be to just have a & d, and mention in
the release notes that users *should* create a dedicated replication
role which is *not* a superuser but *does* have the replication grant,
but if they don't want to change their existing configurations, they can
just grant the replication privilege to whatever role they're currently
using.
Thanks,
Stephen
signature.asc
Description: Digital signature
