Re: Changing the setting of wal_sender_timeout per standby

On Sun, Sep 23, 2018 at 10:47:44AM -0400, Tom Lane wrote:
> Andres Freund <andres(at)anarazel(dot)de> writes:
>> Have there been discussions about the security effects of this change?
>> Previously the server admin could control the timeout, which could
>> affect things like syncrep, after this it's not possible anymore. I
>> *think* that's ok, but it should be discussed.
>
> Hm. An evil replication connection could already cause all sorts of
> operational problems (and I'm not counting grabbing all your data).
> Does this add anything much new in that line? It seems like the
> effects would be at least in the same ballpark as not sending
> hot-standby-feedback messages in a timely fashion.

Well, a user able to spawn a WAL sender has replication rights, and it
is already entrusted a lot, particularly knowing that this user can run
BASE_BACKUP and fetch a superuser password which could be used for more
evil actions. So I am not sure what is actually worrying with this
change in this area, at least it seems to me that the bar is not really
lowered. An admin can still enforce a value if the client does not
specify it at connection time. What kind of attack would you see? An
evil user connecting with a insanely high value and delaying failure
detection, impacting the system performance?
--
Michael