* Josh Berkus (j...@agliodbs.com) wrote: > On 12/23/10 2:21 PM, Tom Lane wrote: > > Well, that's one laudable goal here, but "secure by default" is another > > one that ought to be taken into consideration. > > I don't see how *not* granting the superuser replication permissions > makes things more secure. The superuser can grant replication > permissions to itself, so why is suspending them by default beneficial? > I'm not following your logic here.
The point is that the *replication* role can't grant itself superuser privs. Having the replication role compromised isn't great, but if that role is *also* a superuser, then the whole database server could be compromised. Encouraging users to continue to configure remote systems with the ability to connect as a superuser when it's not necessary is a bad idea. One compromise would be to: a) let superusers be granted the replication permission b) have pg_dump assume that superusers have that permission when dumping from a version which pre-dates the replication grant c) have pg_upgrade assume the superuser has that permission when upgrading d) *not* grant replication to the default superuser A better alternative, imv, would be to just have a & d, and mention in the release notes that users *should* create a dedicated replication role which is *not* a superuser but *does* have the replication grant, but if they don't want to change their existing configurations, they can just grant the replication privilege to whatever role they're currently using. Thanks, Stephen
signature.asc
Description: Digital signature