Re: Special role for subscriptions

On Fri, Mar 22, 2019 at 08:41:06PM +0800, Andrey Borodin wrote:
> 22 марта 2019 г., в 19:17, Petr Jelinek <petr(dot)jelinek(at)2ndquadrant(dot)com> написал(а):
>> I still don't like that we are running the subscription workers as
>> superuser even for subscriptions created by regular user. That has
>> plenty of privilege escalation issues in terms of how user functions are
>> run (we execute triggers, index expressions etc, in that worker).
>
> Yes, this is important concern, thanks! I think it is not a big deal
> to run worker without superuser privileges too.

FWIW, the argument from Petr is very scary. So please let me think
that it is a pretty big deal.

> Yes, this patch is a pure security implication and nothing else.

And this is especially *why* it needs careful screening.

>> Independently from the willingness of any committer to work on this
>> at current CF, the topic of subscription security relaxation
>> really worth efforts.

Perhaps, still it seems that we are still discussing about the concept
and that we have no clear agreement on what to do. This is not a good
sign 8 days before the end of the last commit fest.
--
Michael